Single Sign On with Shibboleth

Prerequisits

The following prerequisits have to be fullfilled:

  1. Apache HTTP daemon (as a proxy for openBIS AS and DSS) is installed.
  2. Shibboleth daemon is installed.
  3. Shibboleth module for Apache is installed.
  4. openBIS is registered at the federation of services (like SWITCHaai)

For 1.-3. see Shibboleth Service Provider (SP) Installation Guide

After installation of Apache and Shibboleth they have to be configured as described in Shibboleth Service Provider (SP) Configuration Guide.

An important step during the configuration process is the registration at the federation (see https://www.switch.ch/aai/guides/sp/configuration/#7. In this step the URL of the application and the required attributes of the user to be signed on have to be specified:

  • URL of the application should be something like https://<host>/openbis-sso where <host> is the name of the host machine. Instead of openbis-sso another name can be chosen if it is not openbis or datastore_server.

The required attributes are used by openBIS to register the user in the openBIS database. The following attributes are needed by openBIS:

  • an attribute which is uniquely identifies the user. This can be an ID like SWITCH edu-ID (e.g. 123456@ethz.ch). But this has the disadvantage that the user wouldn't be easily recognisable in openBIS. A more approbriate ID is the e-mail address.
  • first name or given name
  • last name or surname
  • e-mail address

openBIS configuration

By default openBIS is configured to run without a proxy as an HTTPS server. Behind the proxy openBIS AS and DSS have to be configured to run as HTTP servers:

  1. Copy file servers/openBIS-server/jetty-dist/demo-base/start.d/http.ini to servers/openBIS-server/jetty/start.d/.

  2. Remove https.ini and ssl.ini from servers/openBIS-server/jetty/start.d/.

  3. Change the following in servers/datastore_server/etc/service.properties

    service.properties
    ...
host-address = http://localhost
...
port = 8081
use-ssl = false
...
server-url = ${host-address}:8080

In order to test this configuration you should see the following line in AS log (bin/bislog.sh) after successful startup of AS and DSS (bin/allup.sh)

openbis_log.txt
2019-09-03 09:04:16,027 INFO  [qtp1511785794-14] OPERATION.ServiceForDataStoreServer - Data Store Server (version 10) registered for http://127.0.0.1:8081

Next, SSO has to be enabled for ELN/LIMS by adding something like the following to servers/core-plugins/eln-lims/1/as/webapps/eln-lims/html/etc/InstanceProfile.js

InstanceProfile.js
...
		this.singleSignOnUrlTemplate = "https://${host}/openbis-sso";
		this.singleSignOnLinkLabel = "Login with SWITCHaai";
}
})

Note, that the application name should be the same as specified during registration at the federation.

In order to forward requests by the Apache proxy to openBIS the following openbis.conf file has to be added to the Apache config files folder (most likely /etc/httpd/conf.d)

openbis.conf
ProxyPass /openbis/ssos !
ProxyPass /openbis/openbis/ssos !

ProxyPass /openbis http://localhost:8080/openbis
ProxyPassReverse /openbis http://localhost:8080/openbis
ProxyPass /datastore_server http://localhost:8081/datastore_server
ProxyPassReverse /datastore_server http://localhost:8081/datastore_server

ProxyPass /openbis-sso http://localhost:8080/openbis/openbis/ssos
<Location /openbis-sso >
  AuthType shibboleth
  ShibRequestSetting requireSession true
  ShibUseHeaders On
  <RequireAll>
    Require shib-attr mail ~ .*@.*
  </RequireAll>
</Location>

where again openbis-sso is the name of the application as registered at the federation.

You have to restart Apache with sudo systemctl restart httpd.

The Shibboleth daemon configuration shibboleth2.xml (most likely found in /etc/shibboleth) is almost configured for SWITCHaai when following the instructions in Shibboleth Service Provider (SP) Configuration Guide. But some adaptations are needed:

  • The timeout attribute of the <Sessions> element has to be set to a value equals or larger then the openBIS timeout as specified in servers/openBIS-server/jetty/etc/service.properties by the property session-timeout.
  • The following <Notify> element has to be added at the end of the <ApplicationDefaults> element: <Notify Channel="front" Location="https://<host>/openbis-sso"/> where <host> is the hostname and openbis-sso is the application name as registered at the federation.

You have to restart Shibboleth with sudo systemctl restart shibd.service.

  • No labels