Add Shibboleth Authentication¶

The following prerequisites need to be satisfied:

  • A Shibboleth IdP server deployed, e.g., idp.my-center.edu (outside of scope of this document)
  • The Apache module for Shibboleth installed on the OnDemand Server and properly configured with its own Apache config (outside of scope of this document)

Warning

It is required you turn on ShibCompatValidUser in your Apache config when setting up the Shibboleth module for Apache above.

# /path/to/httpd/conf.d/auth_shib.conf

#
# Turn this on to support "require valid-user" rules from other
# mod_authn_* modules, and use "require shib-session" for anonymous
# session-based authorization in mod_shib.
#
ShibCompatValidUser On

Then you can modify your ood-portal-generator configuration file as such:

# /etc/ood/config/ood_portal.yml
---

# Use Shibboleth authentication
auth:
  - "AuthType shibboleth"
  - "ShibRequestSetting requireSession 1"
  - "RequestHeader edit* Cookie \"(^_shibsession_[^;]*(;\\s*)?|;\\s*_shibsession_[^;]*)\" \"\""
  - "RequestHeader unset Cookie \"expr=-z %{req:Cookie}\""
  - "Require valid-user"

# Use Shibboleth logout
logout_redirect: /Shibboleth.sso/Logout?return=https%3A%2F%2Fidp.my-center.edu%2Fidp%2Fprofile%2FLogout

# Capture system user name from authenticated user name
user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex --regex='^(\\w+)@my-center.edu'"

In the example above:

  • The user_map_cmd uses regular expressions to map the authenticated user bob@my-center.edu to their system user name bob.
  • The RequestHeader settings are used to strip private session information from being sent to the backend web servers.
  • The logout_redirect will first redirect the user to log out of the Open OnDemand portal followed by redirecting the user to log out of the Shibboleth IdP server.

Remember, in order to apply modifications to the /etc/ood/config/ood_portal.yml you need to generate the new Apache configuration file with:

sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal