Minimal configuration for midPoint to authenticate users via Shibboleth
Edit …container_files/httpd/conf/midpoint.conf.auth.shibboleth to match the following
Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore
ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
<Location /midpoint>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequireSession on
ShibUseHeaders On
require shibboleth
</Location>
<Location ~ "/midpoint/(actuator/health|js/*|css/*|img/*|less/*|fonts/*|model/*|ws/*|rest/*|report/*|wro/*|static-web/*|wicket/resource/*)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
Edit …/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
<modules>
...
<httpHeader>
<name>httpHeader</name>
<logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
<usernameHeader>REMOTE_USER</usernameHeader>
</httpHeader>
</modules>...
Edit the above file to include the following snippet in the list of <sequence> statements that follow after </modules>
<sequence>
<name>admin-gui-default</name>
<description>
Default GUI authentication sequence.
</description>
<channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>true</default>
<urlSuffix>gui-default</urlSuffix>
</channel>
<module>
<name>httpHeader</name>
<order>30</order>
<necessity>sufficient</necessity>
</module>
</sequence>
Links to related documentation
https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication ⇐ Flexible AuthN
https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/ ⇐ Flexible AuthN Configuration
https://spaces.at.internet2.edu/display/MID/Shibboleth+demo ⇐ Shibboleth Demo
https://spaces.at.internet2.edu/display/MID/Grouper+integration+demo#Grouperintegrationdemo-SwitchingmidPointauthenticationtoShibboleth(optional) ⇐ Switching midPoint authentication to Shibboleth
https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml ⇐ Security Policy Example from Evolveum