Versions Compared

Old Version 28

changes.mady.by.user Hong Ye

Saved on

compared with

New Version 29

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Apache must be installed and your website have an SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate.

Installation

Follow instruction on https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall to install Shibboleth. 

...

Expand
titleUpdate Access Control shib.conf

Open /etc/httpd/conf.d/shib.conf in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.

Code Block
titleRequire authentication for entire site
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
Code Block
titleAuthorization by affiliation
<Location /studentOnly>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr eduPersonPrimaryAffiliation student
</Location>

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr eduPersonAffiliations staff
</Location>

*eduPersonPrimaryAffiliation is single value attribute while eduPersonAffiliations is multi-values attribute. 
For example, a staff who also taking courses at Cornell has staff as the value of eduPersonPrimaryAffiliation, has staff and student as the value of eduPersonAffiliations. 
All the possible value of affiliations can be found at https://confluence.cornell.edu/display/IDM/edupersonprimaryaffiliation+and+edupersonaffiliation+details
Code Block
titleAuthorization by group/permit
<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr groups myGroup1 myGroup2
</Location>
Code Block
titleRequire TwoFactor for everyone
<Location /superSecret>
  AuthType shibboleth
  ShibRequestSetting authnContextClassRef http://cornell.edu/mfa
  ShibRequestSetting requireSession 1
  Require shib-attr groups mySecureGroup
</Location>

 

 

 

Start Shibboleth Service Provider and Apache

...

  1. Using a web browser, visit the /secure directory (or other protected location) of your SP.
  2. If you are prompted to log in, that means that your SP is properly integrated with Cornell IdP.
  3. After you log in, open a new tab of the same browser and point your web browser to https://<your dns name>/Shibboleth.sso/Session.  Your browser should return a status page that show you all the attributes and values released to your SP.

...