3.5. Shibboleth authentication

Shibboleth is a standardized authentication and authorization mechanism. With Shibboleth, OLAT forwards a user to its Identity Provider (her university / company website) for authentication. The Home Organisation will (upon successfull authentication) take the user back to OLAT including an Authentication Statement which is verified by OLAT. Upon proper verification of this Authentication Statement the user is automatically logged in to OLAT.

The configuration of Shibboleth is mostly done via build.properties / olat_config.xml. The following parameters have to be set:

  1. EnableShibbolethLogins (true/false): If set to "true" Shibboleth will be enabled on your installation.

  2. UniqueIdentifiers: Defines the attributes which allows to uniquely identify an authenticated person. Make sure, values of this attribute are truly unique. It is used to map an identity who has been authenticated by an Identity Provider to an identity within OLAT. The default unique identifier ("<Default />")is mandatory. You may specify unique identifiers on a per-site basis (e.g. <OriginSite siteName="examplesite" uidAttribute="exampleuid" />)

  3. AttributeTranslations (contains Attribute elements): Shibboleth can provide attributes to OLAT after successfull authentication of an identity. These attributes are propagated within OLAT for use e.g. as a pre-condition within a course. To make the attribute names easier to read (and use) you may provide translations to the attributes. E.g. "givenName" reads easier as opposed to "Shib-InetOrgPerson-givenName" (which is the attribute's actual name). See the olat_config.xml.in file for an example.

  4. OLATUserMapping : This section is used to map Shibboleth attributes to user preference attributes within OLAT. After each successfull Shibboleth authentication, the given Shibboleth attributes are mapped to the corresponding attributes in the OLAT user profile. E.g. Shibboleth Attribute "Shib-InetOrgPerson-givenName" would be mapped to the OLAT user profile's first name with the following statement:

    <FirstName>Shib-InetOrgPerson-givenName</FirstName>

    Valid mappings are: FirstName, LastName, EMail, InstitutionalName, InstitutionalEMail, InstitutionalUserIdentifier.

Some of these parameters can be configured through the build.properties file.

Step by step guide to enable shibboleth on your OLAT installation (Without set up of identiy provider).

  1. Get a FQDN (DNS name) for your OLAT installation like: olat.earth.sky

  2. Create an RSA key and out of it create a certificate request using openssl. See example from Swiss Education & Research Network: How to obtain server certificate.

  3. Let the certificate request sign from a certificate authority

  4. Download the signed certificate in the PEM format with the full certificate chain included.

  5. Convert the certificate into a format that tomcat likes (PKCS12) using openssl.

  6. Place the certificate in a directory tomcat can read and adjust the build.properties with the path and password phrase.

  7. Your AAI foderation should provide you with Federation Metadata. The federation metadata contains information about all Service Providers and Identity Providers participating in the federation. Download the file and place it inside webapp/WEB-INF direcotry and adjust the path in the build.properties file.

  8. If you intend to load attributes from the identiy provider you should make sure your have the rights to access them.

  9. An introduction about how install a Shibboleth Service Provider 2.0 with Apache, mod-shib, mod_jk, shibd (Shibboleth daemon) could be found here .

    Relevant for OLAT: Shibboleth daemon (shibd) configuration: attribute-map.xml, shibboleth2.xml (here comes the metadata providers). The medatadata.xml file is automatically downloaded from SWITCH and a local copy is stored.

  10. Configure the Embedded DS in shibbolethlogin.html: configure layout, IdP list, and the different URLs (e.g. wayfSPEntityID) in src/serviceconfig/org/olat/shibboleth/_spring/olatdefaultconfig.xml. See Embedded DS SWITCH tutorial.

  11. run the config-all task and restart OLAT.