About Features Downloads Getting Started Documentation Events Support GitHub

Site Tools


configuration:shibboleth

Shibboleth Setup

You will first need to set up the Shibboleth Service Provider and its Apache module before setting it up in VuFind. You will also need to enable Shibboleth authentication in the Apache configuration (httpd-vufind.conf). Note that for high-traffic sites the Apache-Shibboleth daemon connection may use a relatively high amount of CPU, so you may want to limit the Shibboleth authentication to the authentication page where it's really needed with a configuration block like this (this example works with Apache 2.4):

    <If "%{QUERY_STRING} =~ /auth_method=Shibboleth/">
      Require all denied
      AuthType shibboleth
      Require shibboleth
    </If>
    <Else>
      Require all granted
    </Else>

The settings on VuFind side are found in the Shibboleth section in config.ini. Starting with VuFind 4.0 debug level log includes Shibboleth authentication handler messages to aid in debugging any issues with the authentication. These messages include the environment variables so that you can check if the environment variables that the Shibboleth module sets up matc the variable names in config.ini.

Shibboleth Single Logout

Support for Shibboleth back-channel single logout is available starting from VuFind version 4.0. Single logout is especially important in public terminals where the Shibboleth Identity Provider would keep the user's session alive unless the browser is closed too regardless of whether the user logged out from VuFind.

N.B. VuFind's Shibboleth logout notification handling requires the PHP SOAP module installed.

Here are some links for background information on how single logout works with Shibboleth:

VuFind supports the Shibboleth logout notification SOAP service that the Shibboleth Service Provider can be configured to call on logout. The service endpoint in VuFind is soap/shiblogout, i.e. http://vufind-server/vufind/soap/shiblogout with the default configuration. Here is an example configuration snippet for the Shibboleth SP (shibboleth2.xml) enabling the single logout handler and logout notification for VuFind (this is not a complete example but includes only the bits relevant to single logout):

    <ApplicationDefaults entityID="https://vufind-server"
                         REMOTE_USER="eppn persistent-id targeted-id" signing="front">
        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure; httpOnly">
            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>
 
            <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
            <LogoutInitiator type="Chaining" Location="/Logout">
                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
                <LogoutInitiator type="Local"/>
            </LogoutInitiator>
 
            <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
            <md:SingleLogoutService Location="/SLO/SOAP"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
            <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
        </Sessions>
        <Notify Channel="back" Location="https://localhost/vufind/soap/shiblogout"/>
    </ApplicationDefaults>

You will also need to enable access to the SOAP endpoint from localhost in VuFind's permissions.ini:

[api.ShibbolethLogoutNotification]
permission = access.api.ShibbolethLogoutNotification
require = ANY
; IPv4
ipRange[] = '127.0.0.1'
; IPv6
ipRange[] = '::1'

If you need to access the endpoint using a non-loopback IP address, add also the default IP address of the Shibboleth SP to the ipRange[] settings.

Finally, support for single logout in the service provider must be published in the federation metadata like this:

<EntityDescriptor ...>
  <SPSSODescriptor ...>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vufind-server/Shibboleth.sso/SLO/Redirect"/>
  </SPSSODescriptor>
</EntityDescriptor>
configuration/shibboleth.txt · Last modified: 2016/09/22 15:21 by demiankatz