Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and gate access to secure content.

_Shibboleth (IPA: [[ˈʃɪbəlɛθ]r1) is any language usage indicative of one's social or regional origin or more broadly any practice that identifies members of a group_|{{>toc}}

]

---

Shibboleth¶

Installation¶

General information is available in

• Shibboleth Wiki

• DFN-AAI

• SWITCH-AAI

Identity Provider (IdP) Installation¶

IdP Installation for EDIT¶

• Shibboleth Identity Provider (IdP) Installation on Debian Etch

General IdP Installation descriptions¶

• Debian Etch & Ubuntu 7.04 (DFN-AAI)

• General Instructions (Shibboleth)

• Apache & Tomcat (SWITCH-AAI)

Service Provider (SP) Installation¶

SP Installation for EDIT¶

• Shibboleth Service Provider (SP) Installation on Debian Etch

• Shibboleth Service Provider (SP) Installation on Windows

General SP Installation descriptions¶

• Debian Etch & Ubuntu 7.04 (DFN-AAI)

• Debian Sarge (SWITCH-AAI)

• Debian Etch (SWITCH-AAI)

• Windows (Shibboleth)

Using Shibboleth¶

Drupal¶

Drupal authentication can be used with Shibboleth based on web server environment variables, particularly REMOTE_USER.

Initially, you just have to protect the path to your Drupal installation on your Shibboleth Service Provider, according to one of these installation descriptions

Next, you can simply install the Webserver Auth Module":http://drupal.org/project/webserver_auth. Currently, this module is not compatible with Drupal 5. But, the version presented "here is working.

In order to shibbolize your Drupal5 installation, just do the following steps:

• Download the Webserver Auth module

• Extract it into your Drupal5 installation into the modules subdirectory.

• Create a file named webserver_auth.info within the Drupal5 subdirectory of the Webserver Auth module (e.g. /var/www/drupal-5.2/modules/webserver_auth/ with a content similar to this:

; $Id: webserver_auth-notes.txt,v 1.1 2007/04/11 21:40:14 wnorthway Exp $
name = Webserver Authentication
description = Allows Drupal to honor the webserver's authentication.
version = "4-7.x-modified"

• Modify the file webserver_auth.module within the Drupal5 subdirectory of the Webserver Auth module (e.g. /var/www/drupal-5.2/modules/webserver_auth/webserver_auth.module) as follows:

<?php
// $Id: webserver_auth.module,v 1.13.2.3 2006/03/03 05:08:12 weitzman Exp $

function webserver_auth_init() {
  global $user, $account;

  if ($user->uid) {
    //do nothing because user is already logged into Drupal
  }
  else {
    if ($name = $_SERVER["REMOTE_USER"]) {
      // user is logged into webserver.
      $account->name = $name;
      //modules get to change the user bits before saving. use a global $account to do so.
      // only loaded modules will see this hook
      module_invoke_all("webserver_auth");
      // if we are in bootstrap, load user.module ourselves
      if (!module_exists('user')) {
       drupal_load('module', 'user');
      }
      $shib_mail = $_SERVER["HTTP_SHIB_MAIL"];
      $user_shib = array("name" => $account->name, "pass" => "nopass", "mail" => $shib_mail, "status" => 1);
      // try to log into Drupal. if unsuccessful, use anonymous
      if ($user = user_load($array = $account)) {
          watchdog("user", "Session opened for $user->name.", WATCHDOG_NOTICE);
      $user = user_save($user, array_merge((array)$user, $user_shib));
          watchdog("user", "$user->name($user->mail) updated from Shibboleth attributes.", WATCHDOG_NOTICE);
      user_multiple_role_edit(array($user->uid), 'add_role', 3);
          watchdog("user", "$user->name($user->mail) added to role admin.", WATCHDOG_NOTICE);
      }
      else {
        $user = user_save($account, $user_shib);
        watchdog("user", "new user: $user->name.", WATCHDOG_NOTICE);
        user_multiple_role_edit(array($user->uid), 'add_role', 3);
        watchdog("user", "$user->name($user->mail) added to role admin.", WATCHDOG_NOTICE);
      }
    }
    else {
      // do nothing. user isn't logged into web server
//          $user = drupal_anonymous_user();
//          watchdog("user", "Session opened for Anonymous.", WATCHDOG_NOTICE);
    }
  }
}

Now, we have a basic authentication skeleton for Drupal. Currently, authenticated users must be entered in the Drupal user database by the site administrator. The original Webserver Auth module also supports automatic user registration also. This is currently work in progress, but should be done quite easily.

To shibbolize Drupal and to adopt Drupal to our needs, we will extend this basic authentication module considering the following issues:

• automatic Drupal registration of users authenticated with Shibboleth

  • includes automatic mapping of Shibboleth attribute to Drupals user database

• automatic update of Drupal's user database entry according to attribute changes on the Shibboleth IdP

  • This should be done on each login at least.

• get the Drupal logout work properly

  • actually, users will automatically re-login after being logged out due to the reloading and simultaneous activation of the Webserver Auth module of the Drupal main page.