...
A
...
Shibboleth
...
authentication
...
module,
...
commonly
...
referred
...
to
...
as
...
shib_auth,
...
is
...
available
...
for
...
Drupal
...
6.
...
It
...
can
...
be
...
found
...
at
...
http://drupal.org/project/shib_auth
...
The
...
shib_auth
...
module
...
allows
...
you
...
to
...
configure
...
your
...
Drupal
...
site
...
to
...
use
...
Touchstone
...
to
...
authenticate
...
users,
...
instead
...
of
...
the
...
traditional
...
approach
...
of
...
creating
...
all
...
your
...
Drupal
...
user
...
accounts
...
by
...
hand.
...
When
...
the
...
module
...
is
...
installed
...
and
...
configured
...
properly,
...
when
...
someone
...
visits
...
your
...
Drupal
...
site
...
with
...
a
...
valid
...
Touchstone
...
login
...
credential,
...
a
...
Drupal
...
account
...
gets
...
automatically
...
created
...
on-the-fly
...
for
...
the
...
user,
...
and
...
instead
...
of
...
having
...
to
...
type
...
in
...
a
...
manual
...
username
...
and
...
password,
...
Drupal
...
trusts
...
the
...
already-established
...
Touchstone
...
session.
...
This
...
vastly
...
simplifies
...
the
...
administrative
...
task
...
of
...
user
...
creation.
...
In
...
order
...
to
...
use
...
this
...
authentication
...
module,
...
you
...
will
...
still
...
need
...
to
...
install
...
the
...
Shibboleth
...
SP
...
package
...
on
...
your
...
web
...
server
...
and
...
you
...
will
...
still
...
need
...
to
...
configure
...
and
...
customize
...
the
...
configuration.
...
Once
...
you
...
have
...
done
...
that
...
you
...
will
...
also
...
need
...
to
...
configure
...
the
...
authentication
...
module
...
via
...
the
...
Drupal
...
GUI.
...
There
...
are
...
three
...
tabs
...
in
...
the
...
module
...
administration
...
for
...
the
...
shib_auth
...
module:
...
General
...
Settings,
...
Group
...
Rules
...
and
...
Advanced
...
Settings.
...
Here
...
is
...
an
...
example
...
screen
...
shot
...
of
...
the
...
three
...
tabs.
...
Click
...
on
...
the
...
image
...
to
...
enlarge
...
it.
Here is an example of the Shibboleth handler settings section (in the General settings tab) for the authentication module when used at MIT, for the host name ist-dev.mit.edu.
...
Click
...
on
...
the
...
image
...
to
...
enlarge it.
A typical attribute settings section (in the General settings Tab) is shown below. Click on the image to enlarge it.
The entries in the Shibboleth handler settings screen shot above assume that you have used the MIT gen-shib2.sh shell script to configure your shibboleth2.xml file. You should check your shibboleth2.xml file. If you are running Shibboleth SP 2.4 (or higher), you may have a single SSO element within the Sessions element; this configures the login handler location at /Shibboleth.sso/Login:
| Code Block |
|---|
it. !Screen shot 2011-06-29 at 2.42.53 PM.png|thumbnail,border=1! A typical attribute settings section (in the General settings Tab) is shown below. Click on the image to enlarge it. !Screen shot 2011-06-24 at 3.32.28 PM.png|thumbnail,border=1,width=200! The entries in the Shibboleth handler settings screen shot above assume that you have used the MIT gen-shib2.sh shell script to configure your shibboleth2.xml file. You should check your shibboleth2.xml file. If you are running Shibboleth SP 2.4 (or higher), you may have a single {{SSO}} element within the {{Sessions}} element; this configures the login handler location at {{/Shibboleth.sso/Login}}: {code} <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf-mit-edu.ezproxy.canberra.edu.au/DS"> SAML2 SAML1 </SSO> {code} |
Pre-2.4
...
configurations
...
will
...
have
...
a
...
section
...
of
...
SessionInitiator
...
elements
...
within
...
the
...
Sessions
...
element;
...
the
...
first
...
one
...
(default)
...
should
...
look
...
like:
| Code Block |
|---|
} <SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="MIT-DS" relayState="cookie"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" acsIndex="5"/> <SessionInitiator type="SAMLDS" URL="https://wayf-mit-edu.ezproxy.canberra.edu.au/DS"/> </SessionInitiator> {code} |
Note
...
that
...
the
...
Location
...
setting
...
here
...
is
...
/DS
...
,
...
so
...
you
...
would
...
use
...
/Shibboleth.sso/DS
...
as
...
the
...
URL
...
of
...
the
...
login
...
handler.
...
The
...
elements
...
shown
...
above
...
will
...
direct
...
users
...
to
...
the
...
MIT
...
WAYF/DS
...
(Where
...
Are
...
You
...
From/Discovery)
...
server.
...
This
...
is
...
appropriate
...
if
...
you
...
have
...
an
...
application
...
that
...
will
...
support
...
users
...
from
...
outside
...
of
...
MIT
...
as
...
well
...
as
...
users
...
that
...
have
...
an
...
MIT
...
Kerberos
...
username.
...
If
...
your
...
application
...
is
...
intended
...
to
...
only
...
be
...
accessible
...
to
...
users
...
that
...
have
...
an
...
MIT
...
Kerberos
...
username
...
then
...
you
...
should
...
specify
...
the
...
MIT
...
IdP
...
entityID
...
(
...
https://idp-mit-edu.ezproxy.canberra.edu.au/shibboleth
...
)
...
as
...
a
...
property
...
of
...
the
...
SSO/SessionInitiator.
...
For
...
a
...
SessionInitiator
...
,
...
an
...
example
...
of
...
this,
...
using
...
the
...
/Login
...
location,
...
is:
| Code Block |
|---|
} <SessionInitiator type="Chaining" Location="/Login" id="MIT" relayState="cookie" entityID="https://idp-mit-edu.ezproxy.canberra.edu.au/shibboleth"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" acsIndex="5"/> </SessionInitiator> {code} _Group rules_ allow you to automatically map |
Group rules allow you to automatically map Touchstone-authenticated
...
users
...
to
...
specific
...
Drupal
...
roles,
...
based
...
on
...
values
...
in
...
SAML
...
attributes.
...
One
...
common
...
attribute
...
we
...
use
...
here
...
is
...
"affiliation".
...
Here
...
is
...
an
...
example
...
of
...
configuring
...
the
...
Group
...
Rules
...
when
...
using
...
Drupal
...
6.
...
Click
...
on
...
the
...
image
...
to
...
enlarge
...
it.
In this example, we have used the three possible values you can get out of the MIT Touchstone attribute, "affiliation" (staff, student, and affiliate) to automatically map new accounts to three new roles we created in Drupal - Staff User, Student User, and Affiliate. By default, Drupal 6 has only two roles: Anonymous user and Authenticated user. Without further configuration, any Drupal account automatically inherits the "Authenticated User" role in Drupal, but you might want to create more roles in order to provide more granular control over permissions. For example, we might want to configure our Drupal site to allow students to see certain kinds of content, but give staff a different default view.
Note that the affiliate attribute is not the only one you can use in the shib_auth module; you could also map a user to a particular role based on the form of the username or email address, giving one role to people who authenticate via the MIT IdP (who will have an email address ending in @mit.edu) and a different role to everyone else (e.g., collaboration account users).