Before you start to convert CUWebAuth to Shibboleth, review your CUWebauth configurations and compare them to this instruction. If you are using any CUWebAuth feature that is no longer available in Shibboleth, you need to modify your application to replace it with other method before you convert.
Features that are not supported in Shibboleth:
- CUWebAuth Portal Permit: <Location /CUWAPortal/Permit>
CUWAInquire
Suggestion: Your application need to query Active Directory to get group membership. - CUWebAuth Portal Proxy: <Location /CUWAPortal/Proxy>
- CUWebAuth DavLogin: SetHandler cuwa_davlogin
When you are ready to covert, follow the instruction to install/configure Shibboleth Service Provider.
CUWebAuth Directive to Shibboleth mapping
CUWebAuth | Shibboleth(shib.conf) | Shibboleth(shibboleth2.xml) |
---|---|---|
AuthType all | AuthType shibboleth ShibRequestSetting requireSession 1 | |
Require valid-user | Require valid-user | |
Require netid netid1 netid2 | Require shib-attr uid netid1 netid2 | |
Require permit myPermit | Require shib-attr groups myPermit | |
Require noprompt | Not supported | |
CUWA2FARequire all |
ShibRequestSetting authnContextClassRef https: //refeds.org/profile/mfa <RequireAll> Require shib-attr groups mySecureGroup </RequireAll> Apache 2.2 Unfortunately Apache 2.2 does not support the <RequireAll> block and interprets multiple Require directives with an implicit 'OR' . Shibboleth SP instead provides an equivalent functionality to RequireAll.
ShibRequestSetting authnContextClassRef https: //refeds.org/profile/mfa ShibRequireAll on ShibCompatWith24 on Require shib-attr groups mySecureGroup Require authnContextClassRef "https://refeds.org/profile/mfa" | |
CUWA2FARequire permit-name1 permit-name2 | Not supported in Shibboleth SP. But can be supported in Shibboleth IDP. Please specify your requirement in shibboleth integration request form | |
CUWACredentialAge | <Sessions lifetime= ... > | |
CUWAinactivityTimeout | <Sessions ... timeout=...> | |
Combination of CUWACredentialAge and CUWAinactivityTimeout for the purpose of forcing user re-login |
| |
CUWAwak2Name CUWAwaK0Realms | If your site supports GuestID login, there is no special configuration needed on your end. You just need to indicate that in Shibboleth integration request form. If your site supports Weill Medicine CWID login, please read: |
Following directives can be simply deleted:
AuthName Cornell
CUWAKerberosPrincipal
CUWAWebLoginURL
CUWAKeytab
CUWAsessionFilePath