Skip to content
Permalink
main
Go to file
 
 
Cannot retrieve contributors at this time
79 lines (63 sloc) 2.51 KB

Minimal configuration for midPoint to authenticate users via Shibboleth

1) Protect the admin GUI with shib

Edit …​container_files/httpd/conf/midpoint.conf.auth.shibboleth to match the following

Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore

ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0

<Location /midpoint>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  ShibRequireSession on
  ShibUseHeaders On
  require shibboleth
</Location>

<Location ~ "/midpoint/(actuator/health|js/*|css/*|img/*|less/*|fonts/*|model/*|ws/*|rest/*|report/*|wro/*|static-web/*|wicket/resource/*)">
  Satisfy Any
  Allow from all
  AuthType None
  Require all granted
</Location>

2) Set the user name header to REMOTE_USER

Edit …​/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml

<modules>
...
  <httpHeader>
    <name>httpHeader</name>
    <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
    <usernameHeader>REMOTE_USER</usernameHeader>
  </httpHeader>
</modules>...

3) Set Shibboleth as the authentication method for the midPoint admin GUI

Edit the above file to include the following snippet in the list of <sequence> statements that follow after </modules>

<sequence>
    <name>admin-gui-default</name>
    <description>
        Default GUI authentication sequence.
    </description>
    <channel>
        <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
        <default>true</default>
        <urlSuffix>gui-default</urlSuffix>
    </channel>
    <module>
        <name>httpHeader</name>
        <order>30</order>
        <necessity>sufficient</necessity>
    </module>
</sequence>
You can’t perform that action at this time.