Versions Compared

Old Version 3

changes.mady.by.user Paul B Hill

Saved on

compared with

New Version 4

changes.mady.by.user Mark J Pearrow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A Shibboleth authentication module is available for Drupal 5 and 6. It can be found at http://drupal.org/project/shib_auth

When used with Drupal 6, Drupal groups membership can be generated from rules that evaluate the data contained in the SAML assertion that is provided by the identify provider. This feature is not available when using Drupal 5.

In order to use this authentication module, you will still need to install the Shibboleth SP package on your web server and you will still need to confgiure configure and customize the configuration. Once you have done that you will also need to configure the authentication module via the Drupal GUI.

There are three tabs in the module administration for the shib_auth module: General Settings, Group Rules and Advanced Settings. Here is an example screen shot of the three tabs. Click on the image to enlarge it. Image Added

Here is an example of the General Settings tab for the authentication module when used at MIT. Click on the image to enlarge it. Image Removed Image Added
A typical attribute settings section (from the General Tab) is shown below. Click on the image to enlarge it. Image Added

The entries in the screen shot above assume that you have used the MIT shell script to configure your shibboleth.xml file. You should check your xml file. Within the "Applications" section, look for the SessionInitiator section. You should have one SessionInitiator that is defined as:

Code Block
<SessionInitiator id="ISDA" Location="/Touchstone" Binding="urn:mace:shibboleth:sp:1.3:SessionInit
 wayfURL="https://idp-mit-edu.ezproxyberklee.flo.org/WAYF/WAYF" wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

The SessionInitiator shown above will direct users to the WAYF (Where Are You From) server. This is appropriate if you have an application that will support users from outside of MIT as well as users that have an MIT Kerberos username.

...

Code Block
<SessionInitiator id="MIT" Location="/MIT-only" Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
 wayfURL="https://idp-mit-edu.ezproxyberklee.flo.org/shibboleth-idp/SSO" wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

If you want to use this second SessionInitiator, then you should enter "/MIT-only" into the WAYF field in the Drupal settings page.

Group rules allow you to automatically map Touchstone-authenticated users to specific Drupal roles, based on values in SAML attributes. One common attribute we use here is "affiliation". Here is an example of configuring the Group Rules when using Drupal 6. Click on the image to enlarge it. Image Removed Image Added