Page tree
Skip to end of metadata
Go to start of metadata

When integrating the ShibUI application with Shibboleth and you wish to use Shibboleth as the authentication source for your users, this configuration is needed. 


NOTE

If the IDP cannot provide the correct roles (ROLE_ADMIN, ROLE_USER, ROLE_ENABLE) in the user attributes, then you will need to create a users file as detailed on the integration page with at least one username (matching usernames from the IDP) with the ROLE_ADMIN role.



If you choose to integrate the ShibUI as a Service Provider(SP) (ie, ShibUI users will authenticate through Shibboleth to access the ShibUI) you will need to do the following:

  • (OPTIONAL) Create the appropriate certificate files and SP metadata - this step is NOT required, as the configuration startup will generate these for you if they do not exist. Set forceServiceProviderMetadataGeneration to false if providing your own files.
  • Create a copy of the IDP's metadata file and place locally in a location readable by the ShibUI application
  • Create an application.yml file to house the configuration needed by the application. This same application.yml file may hold additional configuration items as required/desired by your setup, but only those items pertaining to the Pac4-J setup are shown here.



application.yml
shibui:
  pac4j-enabled: true
  pac4j:
    keystorePath: "/conf/samlKeystore.jks"
    keystorePassword: "changeit"
    privateKeyPassword: "changeit"
    serviceProviderEntityId: "https://yourorganization.net/shibui"
    serviceProviderMetadataPath: "/conf/sp-metadata.xml"    # Full path to SP metadata file location
    identityProviderMetadataPath: "/conf/idp-metadata.xml"  # Full path to the IDP metadata file location
    callbackUrl: "https://localhost:8443/callback"
    forceServiceProviderMetadataGeneration: true    # Set to false if you don't want to have the system create
    maximumAuthenticationLifetime: 3600000          # values smaller than the IDPs session timeout will be effectively overridden by the IDP
    requireAssertedRoleForNewUsers: false           # default
    saml2ProfileMapping:                            # Standard defaults - groups and roles can be whatever attributes as needed or left commented out
      username: urn:oid:0.9.2342.19200300.100.1.1
      firstname: urn:oid:2.5.4.42
      lastname: urn:oid:2.5.4.4
      email: urn:oid:0.9.2342.19200300.100.1.3
      #groups: urn:oid:2.5.4.15                      # businessCategory
      #roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7       # eduPersonEntitlement



The saml2ProfileMapping mappings are the SAML standard OIDs - groups and roles can be configured to whatever values are appropriate for your systems.

Within the source code for the project, testbed/authentication provides an example setup for an IDP and the ShibUI, including a sample application.yml configuration. 


  • No labels