You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

A Shibboleth authentication module is available for Drupal 6. It can be found at http://drupal.org/project/shib_auth

When used with Drupal 6, Drupal groups membership can be generated from rules that evaluate the data contained in the SAML assertion that is provided by the identify provider.

In order to use this authentication module, you will still need to install the Shibboleth SP package on your web server and you will still need to configure and customize the configuration. Once you have done that you will also need to configure the authentication module via the Drupal GUI.

There are three tabs in the module administration for the shib_auth module: General Settings, Group Rules and Advanced Settings. Here is an example screen shot of the three tabs. Click on the image to enlarge it.

Here is an example of the Shibboleth handler settings section (in the General settings tab) for the authentication module when used at MIT, for the host name ist-dev.mit.edu. Click on the image to enlarge it.

A typical attribute settings section (in the General settings Tab) is shown below. Click on the image to enlarge it.

The entries in the Shibboleth handler settings screen shot above assume that you have used the MIT gen-shib2.sh shell script to configure your shibboleth2.xml file. You should check your shibboleth2.xml file. If you are running Shibboleth SP 2.4 (or higher), you may have a single SSO element within the Sessions element; this configures the login handler location at /Shibboleth.sso/Login:

    <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf-mit-edu.ezproxy.canberra.edu.au/DS">
      SAML2 SAML1
    </SSO>

Pre-2.4 configurations will have a section of SessionInitiator elements within the Sessions element; the first one (default) should look like:

    <SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="MIT-DS" relayState="cookie">
        <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
        <SessionInitiator type="Shib1" acsIndex="5"/>
        <SessionInitiator type="SAMLDS" URL="https://wayf-mit-edu.ezproxy.canberra.edu.au/DS"/>
    </SessionInitiator>

Note that the Location setting here is /DS, so you would use /Shibboleth.sso/DS as the URL of the login handler.

The elements shown above will direct users to the MIT WAYF/DS (Where Are You From/Discovery) server. This is appropriate if you have an application that will support users from outside of MIT as well as users that have an MIT Kerberos username.

If your application is intended to only be accessible to users that have an MIT Kerberos username then you should specify the MIT IdP entityID (https://idp-mit-edu.ezproxy.canberra.edu.au/shibboleth) as a property of the SSO/SessionInitiator. For a SessionInitiator, an example of this, using the /Login location, is:

    <SessionInitiator type="Chaining" Location="/Login" id="MIT"
            relayState="cookie" entityID="https://idp-mit-edu.ezproxy.canberra.edu.au/shibboleth">
        <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
        <SessionInitiator type="Shib1" acsIndex="5"/>
    </SessionInitiator>

Group rules allow you to automatically map Touchstone-authenticated users to specific Drupal roles, based on values in SAML attributes. One common attribute we use here is "affiliation". Here is an example of configuring the Group Rules when using Drupal 6. Click on the image to enlarge it.

  • No labels