Shibboleth For Plone Updated as of June 25th, 2010 UCLA Shibboleth 2.1+ Guides: Installation guide Configuration guide Follow up with installation of WebServerAuth: http://plone.org/products/webserverauth Does “(null)” show up instead of the login name in Plone when all is said and done? Head over to your Apache SSL configuration (/etc/httpd/conf.d/ssl.conf) and modify your RequestHeader setting of X_REMOTE_USER to utilize the Shibboleth attribute you desire: @RequestHeader set X_REMOTE_USER %{SHIBUCLALOGONID}e @ The most up to date instructions for the Shibboleth plug-ins for Plone are available from Ithaka.org: http://tid.ithaka.org/shibplone.pdf Here are older ones Thanks to Alan Brenner for creating these plug-ins and all the help. http://tid.ithaka.org/software Thanks to Datta Mahabalagiri at UCLA AIS All my paths to files are for OS X Please connect your Service Provider to www.testshib.org to make sure your installation is solid before connecting to UCLA native.logger and shibd.logger should be set to DEBUG instead of INFO … Native Logger Shibd Logger they are located here: /opt/shibboleth-sp/etc/shibboleth/shibd.logger /opt/shibboleth-sp/etc/shibboleth/native.logger …for the log files located here /opt/shibboleth-sp/var/log/httpd/native.log /opt/shibboleth-sp/var/log/shibboleth/shibd.log Check that you have the correct Attribute Acceptance Policy for the UCLA Identity Provider /opt/shibboleth-sp/etc/shibboleth/ AAP .xml AAP .xml Verify you have the correct metadata for the UCLA Identity Provider /opt/shibboleth-sp/etc/shibboleth/ucla-metadata.xml UCLA Metadata mine is in the md namespace Setup your Shibboleth.xml like so: shibboleth.xml here is my example vhost in my httpd.conf, it isn’t that pretty. vhost.conf or check out what Alan Brenner did Alan’s Vhost Make sure your Service Provider is receiving attributes correctly though a simple phpinfo() page or this page that can display Shibboleth attributes Here is mine https://test.psych.ucla.edu/secure/ Here is the code I found on google Check Attributes Page First Install ApachePAS plugin http://plone.org/products/apachepas Then Install the Shib Plugins AutoUserMakerPASPlugin ShibbolethLogin ShibbolethPermissions from here http://tid.ithaka.org/software configure AutoUserMakerPASPlugin in the ZMI at /psych/acl_users/AutoUserMakerPASPlugin to look like this http://www.psych.ucla.edu/shibfiles/autouserconf.jpg I’m only using the first two HTTP_REMOTE_USER1 and HTTP_SHIB_DISPLAYNAME you can ignore the rest of the “User Setup Headers” make sure you put whavever “User Setup Headers” you are using down below in the “User Mapping Headers” Configure Shibboleth Login at /psych/acl_users/ShibbolethLogin to look like this http://www.psych.ucla.edu/shibfiles/shibloginconf.jpg When you login to your site select the “Log in with a UCLA user id” link That’s it. Kinda rough. I don’t have a logout function yet. I haven’t gotten around to using ShibbolethPermissions yet but maybe this might get you going: http://tid.ithaka.org/software/shibbolethpermissions/ Gotcha’s “Session Creation Failure” errors were from having the wrong SessionInitiator in my shibboleth.xml “Rejected Replayed Assertion ID” were from incorrect Host and Path in the RequestMapProvider Good Luck