iam-knowledge-bits/shibM.adoc at 46656960fc7de0c831e257ac6162a448d9dbf091 · internet2/iam-knowledge-bits

Minimal configuration for midPoint to authenticate users via Shibboleth

1) Protect the admin GUI with shib

Edit …container_files/httpd/conf/midpoint.conf.auth.shibboleth to match the following

Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore

ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0

<Location /midpoint>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  ShibRequireSession on
  ShibUseHeaders On
  require shibboleth
</Location>

<Location ~ "/midpoint/(actuator/health|js/*|css/*|img/*|less/*|fonts/*|model/*|ws/*|rest/*|report/*|wro/*|static-web/*|wicket/resource/*)">
  Satisfy Any
  Allow from all
  AuthType None
  Require all granted
</Location>

2) Set the user name header to REMOTE_USER

Edit …/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml

<modules>
...
  <httpHeader>
    <name>httpHeader</name>
    <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
    <usernameHeader>REMOTE_USER</usernameHeader>
  </httpHeader>
</modules>...

3) Set Shibboleth as the authentication method for the midPoint admin GUI

Edit the above file to include the following snippet in the list of <sequence> statements that follow after </modules>

<sequence>
    <name>admin-gui-default</name>
    <description>
        Default GUI authentication sequence.
    </description>
    <channel>
        <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
        <default>true</default>
        <urlSuffix>gui-default</urlSuffix>
    </channel>
    <module>
        <name>httpHeader</name>
        <order>30</order>
        <necessity>sufficient</necessity>
    </module>
</sequence>

https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication ⇐ Flexible AuthN

https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/ ⇐ Flexible AuthN Configuration

https://spaces.at.internet2.edu/display/MID/Shibboleth+demo ⇐ Shibboleth Demo

https://spaces.at.internet2.edu/display/MID/Grouper+integration+demo#Grouperintegrationdemo-SwitchingmidPointauthenticationtoShibboleth(optional) ⇐ Switching midPoint authentication to Shibboleth

https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml ⇐ Security Policy Example from Evolveum

iam-knowledge-bits/shibM.adoc

Minimal configuration for midPoint to authenticate users via Shibboleth

1) Protect the admin GUI with shib

2) Set the user name header to REMOTE_USER

3) Set Shibboleth as the authentication method for the midPoint admin GUI

Links to related documentation