Enable Federated accessΒΆ
JAGGER supports both local authentication and federated access. Right now shibboleth-sp is supported. There will be support for simpleSAMLphp too.
Obviusly you need to have shibboleth-sp configured.
Enable federated access in JAGGER
Find and set following keywords in Configuration files :
autoregister_federated, register_defaultrole, Shib_required, Shib_username, Shib_mail, Shibboleth
Next thing is to protect specific URI in apache with shibboleth. Here is example part from apache config.
Note
remove or replace ALIAS with your base location for JAGGER
<Location /ALIAS/auth/fedauth> Options -Indexes FollowSymLinks MultiViews Order allow,deny Allow from all AuthType shibboleth ShibRequireSession On require valid-user </Location> <Location /ALIAS/index.php/auth/fedauth> Options -Indexes FollowSymLinks MultiViews Order allow,deny Allow from all AuthType shibboleth ShibRequireSession On require valid-user </Location>
You may also want to enable embeded DiscoveryService. To get this working you need to have DiscoFeed enabled in shibboleth2.xml file:
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
enable and set as default
<SessionInitiator type="Chaining" Location="/DS" id="DS" isDefault="true" relayState="cookie"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" acsIndex="5"/> <SessionInitiator type="SAMLDS" URL="https://yourHOST/ALIAS/eds"/> </SessionInitiator>
Note
replace URL=”https://yourHOST/ALIAS/eds” with yours
Now you should be able to see both local authentication part and federated access.
You can decide what kind of access (local authn or/and federated access) can be used by user. If you create user and set only federated access then even there is password set during creation user can’t login using local authentication.
There are three possibilites:
- only local authentication
- only federated access
- bot local authentication and federated access
