Versions Compared

Old Version 108

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 109

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

entityID: the ID of our Service Provider (SP)

Our current version of the Shrine application does not support the use of Request headers. However if you decide to go that way instead of using AJP and request attributes, the following paragraph is pertinent:

REMOTE_USER: how the REMOTE_USER attribute will be populated, in the form of a list of attribute names. Note that "ecommonsid" which is specific to HMS IT, comes first, so for this environment REMOTE_USER will be set to the value of "ecommonsid". Otherwise, the first attribute name from the list which matches the name of an attribute returned by the IdP will be used.

"attributePrefix" must be set to "AJP_" so that the attributes from the "attribute-map.xml" file (see below) will be passed to Tomcat as request attributes (as opposed to request headers). See also server.xml on the same topic.

...

See https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp

<ApplicationDefaults

<ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"

REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
 signing="true"
                       

  signing="true"
  attributePrefix="AJP_"

>

>

if using request headers instead of request attributes, include the following in the ApplicationDefaults element:

REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"

Sessions configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions

TO DO: set checkAddress to "true" and test.

<!--
 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
 You MUST supply an effectively unique handlerURL value for each of your applications.
 The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
 a relative value based on the virtual host. Using handlerSSL="true", the default, will force
 the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
 Note that while we default checkAddress to "false", this has a negative impact on the
 security of your site. Stealing sessions via cookie theft is much easier with this disabled.
 --> 
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="falsetrue" handlerSSL="true" cookieProps="https">

...