Before you start to convert CUWebAuth to Shibboleth, review your CUWebauth configurations and compare them to this instruction. If you are using any CUWebAuth feature that is no longer available in Shibboleth, you will need to modify your application to replace it with other method before you convert.
Features that are not supported in Shibboleth:
- CUWebAuth Portal Permit: <Location /CUWAPortal/Permit>
Suggestion: Your application need to query Active Directory directly to get group membership. - CUWAInquire
Suggestion: Your application need to query Active Directory directly to get group membership. - CUWebAuth Portal Proxy: <Location /CUWAPortal/Proxy>
We need to know your application before we can offer any suggestion. - CUWebAuth DavLogin: SetHandler cuwa_davlogin
CUWebAuth Directive to Shibboleth mapping
CUWebAuth | Shibboleth(shib.conf) | Shibboleth(shibboleth2.xml) |
---|---|---|
AuthName Cornell | Delete it | |
AuthType all | AuthType shibboleth ShibRequestSetting requireSession 1 | |
Require valid-user | Require valid-user | |
Require netid netid1 netid2 | Require shib-attr uid netid1 netid2 | |
Require permit myPermit | Require shib-attr groups myPermit | |
Require noprompt | Not supported | |
CUWA2FARequire all | ShibRequestSetting authnContextClassRef http://cornell.edu/mfa | |
CUWA2FARequire permit-name1 permit-name2 | Not supported in Shibboleth SP. But can be supported in Shibboleth IDP. Please specify your requirement in shibboleth integration request form | |
CUWACredentialAge | <Sessions lifetime= ... > | |
CUWAinactivityTimeout | <Sessions ... timeout=...> | |
Combination of CUWACredentialAge and CUWAinactivityTimeout for the purpose of forcing user re-login | ShibRequestSetting forceAuthn true | |
CUWAwak2Name CUWAwaK0Realms |
Following directives can be simply deleted:
AuthName Cornell
CUWAKerberosPrincipal
CUWAWebLoginURL
CUWAKeytab
CUWAsessionFilePath