Shibboleth Applications Integration

SPIE Project has developed some 'glue' (JAAS Module) to Shibboleth-enable uPortal and other Applications.

This glue is based on a SPIE Working Package to make uPortal Shibboleth-aware. We started by trying to 'Shibbolise' JSPWiki, which uses Servlet Container-based authN/authZ. This proved to be more difficult to do than to 'Shibbolise' uPortal or CAS Server, which use Application-based authN/authZ. uPortal took half a day to 'Shibbolise' and CAS Server less than one hour. It's worth mentioning that integration with uPortal is done via a ShibbolethSecurityContext, the standard way to provide a Security AuthN Handler for uPortal (we tried successfully version 2.5.1). An equivalent approach was followed to Shibboleth-enable CAS Server (version 2.0.12). It shouldn't be difficult to Shibboleth-enable other Applications using SPIE's JAAS Module. Regardless of at which level the authN/authZ happens, you just have to follow one of these recipes (probably with some adaptations).

SPIE's JAAS Module comes with several possible Shibboleth Login Forms, namely a JSP, a Servlet and a Java Filter (all equivalent in theory). The easiest one to use is the JSP one, so these instructions are written for it. If you have any difficulties or if you successfully Shibboleth-enable any other Application using SPIE's JAAS Module, please let us know. BTW, the next Application to Shibboleth-enable in our 'to do' list is XPlanner.

Before starting Shibboleth-enabling, please follow the instructions stated in SPIE's JAAS Module, then return here, and proceed to the Application you want to make Shibboleth-aware.

uPortal

As mentioned before, uPortal uses Application-based authN/authZ. Here are the instructions to Shibboleth-enable an uPortal instance from scratch.

Step 13: Download, install and verify if it's running.

  • Download the latest version of uPortal (Tip: Use the QuickStart version, as it is easier), follow the installation instructions and verify if uPortal is running.
  • Shutdown uPortal.

Step 14: Copy and Map SPIE's Shibboleth Login Form.

SPIE's JAAS Module comes with several JSP and Servlet Login Forms. We are writing these instructions for the JSP one (shiblogin.jsp). If you prefer to use the Servlet one (SpieShibLoginServlet), you have to adapt the following two items.
  • Copy SpieJaas/Web-src/web/shiblogin.jsp to $TOMCAT_HOME/webapps/uPortal/.
  • Edit uPortal's deployment descriptor file ($TOMCAT_HOME/webapps/uPortal/WEB-INF/web.xml) and add the following mapping to SPIE's Shibboleth Login Form:
<!--  This is the Servlet/JSP that is used as SPIE's Shibboleth Login Form -->
<servlet>
  <servlet-name>LoginForm</servlet-name>
  <display-name>Login Form</display-name>
  <description><![CDATA[Login Form]]></description>
  <!-- Use jsp-file if you want to use a JSP page to handle Shibboleth Logins -->
  <jsp-file>/shiblogin.jsp</jsp-file>
  <!-- OR use servlet-class if you want a servlet to handle Shibboleth Logins
  <servlet-class>uk.ac.oxford.middleware.auth.shib.SpieShibLoginServlet</servlet-class>
  -->
  <init-param>
    <param-name>attributeAsUsername</param-name>
    <param-value>urn:mace:dir:attribute-def:cn</param-value>
  </init-param>
  <init-param>
    <param-name>loginQueryString</param-name>
    <!-- Standard Java Login Form 
    <param-value>
      <![CDATA[%HOST%%CONTEXTPATH%/j_security_check?j_username=%USERNAME%&j_password=%PASSWORD%]]>
    </param-value>
    -->
    <!-- uPortal -->
    <param-value>
      <![CDATA[%HOST%%CONTEXTPATH%/SpieLogin?action=login&userName=%USERNAME%&password=%PASSWORD%]]>
    </param-value>
  </init-param>
</servlet>

<servlet-mapping>
  <servlet-name>LoginForm</servlet-name>
  <url-pattern>/SpieLogin</url-pattern>
</servlet-mapping>

Step 15: Copy Shibboleth Security Context.

  • Copy SpieJaas/uPortal-SecurityContext/ShibbolethSecurityContextFactory.class and SpieJaas/uPortal-SecurityContext/ShibbolethSecurityContext.class to $TOMCAT_HOME/webapps/uPortal/WEB-INF/classes/org/jasig/portal/security/provider/.

Step 16: Replace uPortal Default Security Context by Shibboleth One.

  • Edit $TOMCAT_HOME/webapps/uPortal/WEB-INF/classes/properties/security.properties and replace the default security context (SimpleSecurityContextFactory) by Shibboleth one (ShibbolethSecurityContextFactory).
#root=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.ShibbolethSecurityContextFactory

Step 17: Change uPortal Front Page.

If you decide to use only Shibboleth for authN, you should remove the default Login Form from the front page and replace it with a link to SPIE's Shibboleth Login Form.
  • Edit $TOMCAT_HOME/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/CLogin.ssl and change it to:
<?xml version="1.0"?>

<?xml-stylesheet href="CLogin/Shibboleth_html.xsl" type="text/xsl" media="netscape"?>
<?xml-stylesheet href="CLogin/Shibboleth_html.xsl" type="text/xsl" media="explorer"?>
<?xml-stylesheet href="CLogin/Shibboleth_html.xsl" type="text/xsl" media="opera"?>
<?xml-stylesheet href="CLogin/login_wml.xsl" type="text/xsl" media="up"?>

<document>
</document>
  • Make a copy of CLogin.ssl file mentioned in the previous item to Shibboleth_html.xsl in the same folder ($TOMCAT_HOME/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/).
  • Edit Shibboleth_html.xsl file, comment the Login Form and add the link to 'Login via Shibboleth'.
...
    <!-- ~ -->
    <!-- ~ If user is not authenticated insert login form-->
    <!-- ~ -->
    <xsl:template match="login-status">
        <form action="Login" method="post">
            <table width="100%" border="0" cellspacing="0" cellpadding="5">
                <tr class="uportal-background-light">
                    <td width="100%" class="uportal-channel-text" nowrap="nowrap">
                        <input type="hidden" name="action" value="login"/>
                        <!--
                        <span class="uportal-label">Name:<img alt="" src="{$mediaPath}/transparent.gif" width="4" height="1"/>
                            <input class="uportal-input-text" type="text" name="userName" size="15" value="{failure/@attemptedUserName}"/>
                            <img alt="" src="{$mediaPath}/transparent.gif" width="16" height="1"/>Password:<img alt="" src="{$mediaPath}/transparent.gif" width="4" height="1"/>
                            <input class="uportal-input-text" type="password" name="password" size="15"/>
                            <img alt="" src="{$mediaPath}/transparent.gif" width="8" height="1"/>
                            <input type="submit" value="Login" name="Login" class="uportal-button"/>
                        </span>
                        -->
                    </td>
                </tr>
                <xsl:apply-templates/>
            </table>
        </form>
        <b>Login via Shibboleth: </b> <a href="http://localhost:8080/uPortal/SpieLogin">Login</a>
    </xsl:template>
...

It would still be possible to authN in uPortal using both the traditional method or Shibboleth, although this would not be the best user experience. Note: When we mention authN via Shibboleth, this is not entirely correct, since Shibboleth is not an authN system. We mean using Shibboleth to enable authN achieved at the IdP via an external authN system.

  • In order to do this, you should add the link to SPIE's Shibboleth Login Form, but not remove the default Login Form.
  • Next, edit $TOMCAT_HOME/webapps/uPortal/WEB-INF/classes/properties/security.properties and add a UnionSecurityContextFactory, leaving the default security context (SimpleSecurityContextFactory) and also the Shibboleth one (ShibbolethSecurityContextFactory).
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.ShibbolethSecurityContextFactory
  • Start uPortal.

Step 18: Login via Shibboleth.

  • You can see a demo here. Please, use demo/demo against SPIE's LDAP IdP (the other IdPs use Oxford University WebAuth SSO System).
  • Within the uPortal authenticated session you will be able to see the attributes obtained via Shibboleth in the 'Person Attributes' Portlet. So, they live at the Portal Framework level.
  • Comments and Feedback are very welcome (mail us). G'luck!

JSPWiki

JSPWiki is a Web Application using Container-based authN/authZ. SPIE's JAAS Module comes with spietestservlet, a very simple Web Application. By following that instructions, you are Shibboleth-enabling a standard Web Application using Container-based auhN/authZ. JSPWiki follows exactly the same recipe.
WORK IN PROGRESS

Yale CAS Server

Coming soon...

XPlanner

Coming soon...

JSPWiki v2.3.73-cvs