What happens during authentication

The below sequence diagram illustrates the series of requests that occur during authentication.  

Shibboleth relies on cookies, redirects and some javascript to make all of these requests appear seamless to the end user.

From the user's perspective authentication is a three step process in the default configuration.

In this example a browser is trying to access a directory protected by Shibboleth named "/secure".  

The user "John Doe" will be redirected to the WAYF where he selects that he wants to use his kerberos credentials to authenticate or an MIT certificate.

Getting Started with Apache Configuration for Touchstone

Below are some simple apache configuration examples for multiple vhosts on the same host setup to 

restrict content to MIT account holders.

More information about configuring Apache can be found in the following links.  

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess

It is highly recommended to use SSL for the entire site you want to protect with Touchstone.

Apache Configuration Examples

Restrict content to MIT account holders

In this example all http requests will be redirected to https

<VirtualHost [ip]:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>


<VirtualHost [ip]:443>
    DocumentRoot /var/www/html/trantor
    ServerName trantor.mit.edu
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key  # self-signed certificate
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    <Location /secure>
       AuthType shibboleth
       ShibRequestSetting requireSession 1
       require user ~ @mit.edu$
       Options ExecCGI
    </Location>
</VirtualHost>

Add shibboleth authentication to a site with insecure content

<VirtualHost <ip>:80>
    DocumentRoot /var/www/html/helicon
    ServerName helicon.mit.edu
</VirtualHost>

<VirtualHost <ip>:443> # helicon.mit.edu
    Servername helicon.mit.edu
    DocumentRoot /var/www/html/helicon
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateKeyFile /etc/pki/tls/private/helicon.key
    SSLCertificateFile /etc/pki/tls/certs/helicon.crt
</VirtualHost>

<Directory /path/to/secure>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    require user ~ @mit.edu$
    Options ExecCGI
    ShibRedirectToSSL 443
</Directory>
  • No labels