I’ve gotten asked a few time lately to document how we integrated Joomla with Shibboleth authentication. It turned out to be fairly straight-forward, primarily due to the awesome Joomla Auth plugin from Sam Moffat .
The first step is getting your Apache server configured to use Shibboleth. The main Shibboleth site https://spaces.internet2.edu/display/SHIB2/Home is your best friend when it comes to this. Pick the one for your platform, we are running on OS X, which turns out to be one of the more involved installs. Linux set-up are pretty straightforward. We already had an Identity provider up and running on campus so all I had to do was install a service provider.
Once Shib is running, you need to enable it for the host where your Joomla site lives. I just turned on Shib for the entire server using this in httpd.conf
AuthType shibboleth
ShibRequireSession Off
require shibboleth
Next is to install the Joomla Auth Plugins. You can find instructions for that here Quickstart_for_1.5.
I installed the libauthtool package from file repository and the plgSSOHTTP from the same spot since really what we’re doing is using HTTP header authentication.
Configuring these plugins is pretty straightforward. Here’s a screenshot of one of our configured sites. The key is setting the User Key to coincide in the SSP HTTP Plugin with where the username lives in the Shibboleth header.
In our case, and in most cases, that is REMOTE_USER. Â The “Username Replacement” option is handy for stripping off the @ portion of the REMOTE_USER data. That allows you to use regular username in Joomla. For example, payst@unc.edu (my Shibboleth ID) can simply be payst in Joomla and I can login as payst. This makes it easier on the users. Your config may vary depending on your Shibboleth set-up or identity management for your area.
Config for the SSO-HTTP Plugin (click to enlarge):
Config for the System SSO Plugin (click to enlarge):
The hardest part of this was getting the Shibboleth service provider set up in Apache. Make sure that works before you start trying to get Joomla integrated. I beat my head into the wall a few time before I realized some of the Shib stuff wasn’t quite right. You can test your Shibboleth authentication by setting up a folder on your web server called something like /test and adding an entry into your Apache config:
AuthType shibboleth
ShibRequireSession On
require shibboleth
Then drop an index.php in that directory with
<?php print_r($_SERVER)>
Visit the /test URL in your favorite web browser and assuming all is working right, you should get directed to your Shibboleth login page and once successfully logged in your should see a page with the full headers from your Shibboleth Identity Provider. This is also a handy way to figure out where your usernames live in the header. You should see yours in REMOTE_USER and you can use that info in configuring the plug-ins as I described above.
I hope this helps (and I hope I haven’t forgotten anything)!