Navigation:
Documentation
Archive



Page Tree:

Child pages
  • Client Environment-Tool-Service Integration with Bamboo IAM infrastructure

This wiki space contains archival documentation of Project Bamboo, April 2008 - March 2013.

Skip to end of metadata
Go to start of metadata

 

Overview

The procedure for integration of client Research Environments, tools, or services with Bamboo's IAM infrastructure will differ for each client platform. During the active period of the Bamboo Technology Project (Oct 2010 to March 2013), client integration was proven using an application running in an instance of Drupal. This application was the Account Services module, described on the page Account Services UI - Bamboo IAM Client - Drupal Module PoC.

The steps on this page describe integration of a Drupal instance with the Bamboo IAM infrastructure. The steps are drawn from installation of Drupal on a virtual machine running a CentOS Linux distribution. There are links to more detailed instructions on separate pages where appropriate.

 

Install and configure Drupal

Follow instructions at http://drupal.org/documentation/install/download

Install at chosen location under /var/www/html

Install and configure Shibboleth SP

1. Install Shibboleth SP by following the steps described on the page Shibboleth SP Installation and Configuration for Bamboo Trust Federation Clients.

2. Edit /etc/shibboleth/shibboleth2.xml.dist and save edited version as /etc/shibboleth/shibboleth2.xml. Make the following changes:

<ApplicationDefaults entityID="https://sp.example.org/shibboleth"

...changed to...

<ApplicationDefaults entityID="https://sp.yourdomain.org/shibboleth"
<SSO entityID="https://idp.example.org/idp/shibboleth"
                  discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">

...changed to...

<SSO
                  discoveryProtocol="SAMLDS" discoveryURL="https://yourdomain.org/shibboleth-ds/index.html">
<Errors supportContact="root@localhost"

...changed to...

<Errors supportContact="appropriateAdmin@chosen.mail.provider"
...Insert after...

<!-- Example of remotely supplied batch of signed metadata. -->


...these two lines...


<MetadataProvider type="XML" uri="http://appropriatehost.org/metadata/ProjectBambooSaml2Metadata.xml"
   backingFilePath="federation-metadata.xml" reloadInterval="7200">

 

3. Edit /etc/httpd/conf.d/shib.conf to use lazy sessions for the Drupal instance. See the <Location> block at the bottom of the file.

# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig

# RPM installations on platforms with a conf.d directory will
# result in this file being copied into that directory for you
# and preserved across upgrades.

# For non-RPM installs, you should copy the relevant contents of
# this file to a configuration location you control.

#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so

#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>

#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /drupal>
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
</Location>

 

Install and configure the Shibboleth Embedded Discovery Service

Follow instructions at https://wiki.shibboleth.net/confluence/display/EDS10/Embedded+Discovery+Service. When installing on a Linux platform, this can be as simple as invoking yum.

yum install shibboleth-embedded-ds

 

 

Install and Configure the Drupal shib_auth module

See http://drupal.org/project/shib_auth and https://wiki.aai.niif.hu/index.php?title=DrupalShibbolethReadmeDev.

When logged in with administrator privileges after installing the shib_auth module, click "Modules", scroll down to Shibboleth at the bottom of the page and click "Configure".

Here is what the configuration options should look like:

After making any changes (e.g., to URLs; the defaults should work in most other cases), click the "Save configuration" button at the bottom of the page.

Your Drupal site should now show a "Shibboleth login" option and users can choose their preferred identity provider from those defined in the Bamboo Trust Federation metadata. This can include social providers such as Google, Twitter, Yahoo and others if there is a Social2SAML gateway IdP in the federation (see Social/SAML Gateway to enable social media identity provision).

  • No labels