Versions Compared

Old Version 117

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 118

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://127.0.0.1:8009/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for HTTP AJP traffic on port 8009 (see Tomcat Configuration below)

...

The following tells Shibboleth to make the attributes it collects from the IdP available as request attributes in ApacheTomcat. This is recommended over using the ShibUseHeaders option which sends the information as request headers. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.

...

Shibboleth consists of a Daemon plus an apache module. This Apache module These must be configured for Shibboleth to intercept certain requests (see Apache Configuration above). When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured IdP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

...

"attributePrefix" must be set to "AJP_" so that the attributes from the "attribute-map.xml" file (see below) will be are passed to Tomcat as request attributes (as opposed to request headers). See also server.xml on the same topic.

See: https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067400159/JavaHowTo

See: https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp

...

The attribute-map.xml file (as set by the "path" xml attribute) will specify which attributes are extracted from the IdP's response and the name of the request headers or attributes they will be available as ( to the java code). More on this file later.

...

IMPORTANT: you must specify at least one attribute whose id is "remoteUser". The Shrine SP code will look for a request attribute of that id to populate the user name in the code (which appears in the user account "badge" at the top-right corner of the UI). It will also be used as a key for any 3rd party supplemental info, such as the Profiles API at HMS. In the present case, our attribute name fore for the remoteUser is "ecommonsId" because that is why what the HMS iDP returns, along with "Email", "Firstname" and "Lastname".

...

Configure the AJP connector. Note the allowedRequestAttributesPattern=".*" attribute. That is needed for the AJP connection so that to pass the attributes from the "attribute-map.xml" file (see above) will be passed to the ServletRequest object as request attributes, and of the correct name (as opposed to request headers). See also shibboleth2.xml on the same topic.

...