When integrating the ShibUI application with Shibboleth and you wish to use Shibboleth as the authentication source for your users, this configuration is needed.
NOTE
If the IDP cannot provide the correct roles (ROLE_ADMIN, ROLE_USER, ROLE_ENABLE) in the user attributes, then you will need to create a users file as detailed on the integration page with at least one username (matching usernames from the IDP) with the ROLE_ADMIN role.
If you choose to integrate the ShibUI as a Service Provider(SP) (ie, ShibUI users will authenticate through Shibboleth to access the ShibUI) you will need to do the following:
- (OPTIONAL) Create the appropriate certificate files and SP metadata - this step is NOT required, as the configuration startup will generate these for you if they do not exist. Set forceServiceProviderMetadataGeneration to false if providing your own files.
- Create a copy of the IDP's metadata file and place locally in a location readable by the ShibUI application
- Create an application.yml file to house the configuration needed by the application. This same application.yml file may hold additional configuration items as required/desired by your setup, but only those items pertaining to the Pac4-J setup are shown here.
application.yml shibui: pac4j-enabled: true pac4j: keystorePath: "/conf/samlKeystore.jks" keystorePassword: "changeit" privateKeyPassword: "changeit" serviceProviderEntityId: "https://yourorganization.net/shibui" serviceProviderMetadataPath: "/conf/sp-metadata.xml" # Full path to SP metadata file location identityProviderMetadataPath: "/conf/idp-metadata.xml" # Full path to the IDP metadata file location callbackUrl: "https://localhost:8443/callback" forceServiceProviderMetadataGeneration: true # Set to false if you don't want to have the system create maximumAuthenticationLifetime: 3600000 # values smaller than the IDPs session timeout will be effectively overridden by the IDP requireAssertedRoleForNewUsers: false # default simpleProfileMapping: # Standard defaults - groups and roles can be whatever attributes as needed or left commented out username: urn:oid:0.9.2342.19200300.100.1.1 firstname: urn:oid:2.5.4.42 lastname: urn:oid:2.5.4.4 email: urn:oid:0.9.2342.19200300.100.1.3 #groups: urn:oid:2.5.4.15 # businessCategory #roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement |
The saml2ProfileMapping mappings are the SAML standard OIDs - groups and roles can be configured to whatever values are appropriate for your systems.
Within the source code for the project, testbed/authentication provides an example setup for an IDP and the ShibUI, including a sample application.yml configuration.