Ticket #501 (closed enhancement: fixed)

Opened 5 years ago

Last modified 5 years ago

Update GSCF with functionality for authentication via Shibboleth / SAML

Reported by: business@… Owned by: work@…
Priority: major Milestone: 0.8.6
Component: Authentication / Authorization Version: 0.8.3
Keywords: Cc:
Hardware: Operating system:
Product: URL:


  • Maintain backward compatibility (by default GSCF should have its own authentication)
  • Implement functionality for resolving user credentials / details via Shibboleth (extra header items) --> user provisioning

Change History

comment:1 Changed 5 years ago by business@…

  • Owner changed from business@… to robert@…
  • Type changed from defect to enhancement
  • Component changed from Unknown to Authentication / Authorization

If Shibboleth is enabled:

  • Read header properties (username, email, name) supplied by SURFconext
  • If this user account does not yet exist, create it in the database
  • username urn maps to GSCF username
  • replace login dialog (automatic login)
  • verify that a logout invalidates the session and does not allow re-logins
  • add a warning message to logout button, stating that the user would need to close and re-open the browser

comment:2 Changed 5 years ago by work@…

Shibboleth request headers (see gscf --> admin --> application info):

Shib-Session-ID : _7fc690bf17da534332d242b2453a
Shib-Identity-Provider : https://engine.surfconext.nl/authentication/idp/metadata
Shib-Authentication-Method : urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Shib-Authentication-Instant : 2011-10-31T11:05:27Z
Shib-AuthnContext-Class : urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Shib-AuthnContext-Decl :
Shib-Assertion-Count :
persistent-id : urn:collab:person:surfguest.nl:username
uid : username
Shib-InetOrgPerson-mail : you@email.com
schacHomeOrganization : surfguest.nl
coin-user-status : guest
coin-vo-name : nmc-dsp
displayName : firstName lastName
Shib-Application-ID : default
REMOTE_USER : urn:collab:person:surfguest.nl:username

comment:3 Changed 5 years ago by business@…

Adjustments neccessary:

  • In each request, check if session exists, if not, create/synchronize user account, and create session. If session is invalidated, show logout info box ('you are logged out, restart browser')
  • After logout is clicked, session should be invalidated
  • Profile page --> if Shibboleth, read-only (only show full name and email), otherwise standard one
  • Login panel should just show username (should work automatically)
  • 'Add user' in permissions in Study wizard Study page should show full names

comment:4 Changed 5 years ago by business@…

Suggestion by Jeroen: just place /auth behind Shibboleth, and not the rest of the pages.

comment:5 Changed 5 years ago by work@…

  • Owner changed from robert@… to work@…
  • Status changed from new to assigned

comment:6 Changed 5 years ago by work@…

Modified virtual host configuration to support shibboleth authentication:

	# Shibboleth / SURFconext authentication
	<IfModule mod_shib>
		# add a custom header to let the application know
		# we want to use shibboleth instead of default authentication
		<IfModule mod_headers.c>
			<LocationMatch .*>
				RequestHeader set UseShibboleth "%t"

		# secure login through shibboleth
		<LocationMatch "/login/.*|/Shibboleth.*">
			AuthType shibboleth
			ShibRequireSession On
			ShibUseHeaders On
			require valid-user

Change login view behaviour when UseShibboleth? is set in request header in r2077

Login logic change for Shibboleth still to be implemented

comment:7 Changed 5 years ago by business@…

  • Status changed from assigned to closed
  • Resolution set to fixed

Logic is implemented:

  • when logging in via Shibboleth, user is checked and created if it doesn't exist
  • Login button integrates with Shibboleth login


  • Potential security flaw: request headers are used to determine Shibboleth login -- so in case the standard authentication method is used, people could hack in those headers and create a new user that way. This could be solved by defining a new configuration setting that explicitly specifies whether Shibboleth login is used or not.
  • Admin privilege has to be added by hand in the database for at least 1 user when starting with an empty database and Shibboleth logins.

comment:8 Changed 5 years ago by work@…

Replaced the request parameter useShibboleth with a configuration parameter to improve security (otherwise someone could hack the application by spoofing the request headers). See #504 and r2107 for more information.

Note: See TracTickets for help on using tickets.