geosolutions-it/ckanext-shibboleth

Name: ckanext-shibboleth

Owner: GeoSolutions

Description: null

Created: 2015-09-23 16:34:05.0

Updated: 2015-09-23 16:57:15.0

Pushed: 2015-09-25 12:07:23.0

Homepage: null

Size: 156

Language: Python

GitHub Committers

UserMost Recent Commit# Commits

Other Committers

UserEmailMost Recent Commit# Commits

README

Shibboleth identification plugin for CKAN 2.4.

Install

You can install ckanext-shibboleth either with

pip install -e git+git://github.com/geosolutions-it/ckanext-shibboleth.git#egg=ckanext-shibboleth

or

git clone https://github.com/geosolutions-it/ckanext-shibboleth.git
python setup.py install

Plugin configuration

who.ini configuration

Add the plugin:shibboleth section, customizing the env var names:

[plugin:shibboleth]
use = ckanext.shibboleth.repoze.ident:make_identification_plugin

session = YOUR_HEADER_FOR_Shib-Session-ID
eppn = YOUR_HEADER_FOR_eppn
mail = YOUR_HEADER_FOR_mail
fullname = YOUR_HEADER_FOR_cn

check_auth_key=AUTH_TYPE
check_auth_value=shibboleth

check_auth_key and check_auth_value are needed to find out if we are receiving info from the Shibboleth module. Customize both right-side values if needed. For instance, older Shibboleth implementations may need this configuration:

check_auth_key=HTTP_SHIB_AUTHENTICATION_METHOD 
check_auth_value=urn:oasis:names:tc:SAML:1.0:am:unspecified

Add shibboleth to the list of the identifier plugins:

[identifiers]
plugins =
    shibboleth
    friendlyform;browser
    auth_tkt

Add ckanext.shibboleth.repoze.auth:ShibbolethAuthenticator to the list of the authenticator plugins:

[authenticators]
plugins =
    auth_tkt
    ckan.lib.authenticator:UsernamePasswordAuthenticator
    ckanext.shibboleth.repoze.auth:ShibbolethAuthenticator

Add shibboleth to the list of the challengers plugins:

[challengers]
plugins =
    shibboleth
#    friendlyform;browser
#   basicauth
production.ini configuration

Add shibboleth the the ckan.plugins line

 ckan.plugins = [...] shibboleth
Apache HTTPD configuration

The ckanext-shibboleth extension requires that the /shibboleth path to be externally filtered by the shibboleth client module.

Using mod_shib on your apache httpd installation, you need these lines in your configuration file:

<Location ~ /shibboleth >
    AuthType shibboleth
    ShibRequireSession On
    require valid-user
</Location>
This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.