-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Coral work with Shibboleth #246
base: development
Are you sure you want to change the base?
Make Coral work with Shibboleth #246
Conversation
Introduce new configuration parameter - idpLogout in configuration_sample.ini of each module to hold Shibboleth IDP Logout URL. Add htaccess template file by the name of htaccess_sample4shib into the top directory of each module. to hold Shibboleth IDP Logout URL.
I wonder if it would be better to make the Auth module handle Shibboleth integration, like it does with LDAP now, rather than going back to .htaccess files. Also, I'm concerned about adding a logout button setting to the configuration. It seems to me that we should not have to add a flag like that to every configuration file. I don't have another suggestion at the moment though. I appreciate you working on getting Shibboleth support! It's definitely needed! |
In order to completely log out of Shibboleth Session, the associated IDP session must be ended using the IDP logout URL which can be hard coded or stored in the configuration file. Shibboleth is different from LDAP and according to my current knowledge and our test, using htaccess is the easiest way to go. |
I'm sure the .htaccess method will be the easiest to create. It was for LDAP too, but eventually we added support into the Auth module. I'd really like the Auth module to be viable for as many Auth use cases as possible, but I do understand getting something working with an .htaccess method for advanced users in the mean time. Thanks for putting this together! |
Actually, my 2nd thought suggests using htaccess may not be necessary, but the idp Logout URL has to be used, according to my current knowledge which is not sufficient, otherwise any user can come back without be authenticated because of the existing IDP session on Campus IDP server. |
How about using htaccess which is adapted for Shibboleth only in the Auth folder ? |
I don't know enough about Shibboleth to be very helpful, sorry. I expect I'll be learning about it later this year, so hopefully I learn something from what you come up with. |
In order to use .htaccess only with the Auth module, index file, configuration.ini and maybe some other ones need to be modified to handle server parameter REMOTE_USER which is set by Apache after a user is authenticated via Shibboleth. |
We still need to add support for this, but I'm still not in a position to test it. |
Add back missing Logout buttons when not using Coral Auth module.
Introduce new configuration parameter - idpLogout in configuration_sample.ini of each module to hold Shibboleth IDP Logout URL.
Add htaccess template file by the name of htaccess_sample4shib into the top directory of each module.