I’ve gotten asked a few time lately to document how we integrated Joomla with Shibboleth authentication. It turned out to be fairly straight-forward, primarily due to the awesome Joomla Auth plugin from Sam Moffat .
The first step is getting your Apache server configured to use Shibboleth. The main Shibboleth site https://spaces.internet2.edu/display/SHIB2/Home is your best friend when it comes to this. Pick the one for your platform, we are running on OS X, which turns out to be one of the more involved installs. Linux set-up are pretty straightforward. We already had an Identity provider up and running on campus so all I had to do was install a service provider.
Once Shib is running, you need to enable it for the host where your Joomla site lives. I just turned on Shib for the entire server using this in httpd.conf
AuthType shibboleth
ShibRequireSession Off
require shibboleth
Next is to install the Joomla Auth Plugins. You can find instructions for that here Quickstart_for_1.5.
I installed the libauthtool package from file repository and the plgSSOHTTP from the same spot since really what we’re doing is using HTTP header authentication.
Configuring these plugins is pretty straightforward. Here’s a screenshot of one of our configured sites. The key is setting the User Key to coincide in the SSP HTTP Plugin with where the username lives in the Shibboleth header.
In our case, and in most cases, that is REMOTE_USER. The “Username Replacement” option is handy for stripping off the @ portion of the REMOTE_USER data. That allows you to use regular username in Joomla. For example, payst@unc.edu (my Shibboleth ID) can simply be payst in Joomla and I can login as payst. This makes it easier on the users. Your config may vary depending on your Shibboleth set-up or identity management for your area.
Config for the SSO-HTTP Plugin (click to enlarge):
Config for the System SSO Plugin (click to enlarge):
The hardest part of this was getting the Shibboleth service provider set up in Apache. Make sure that works before you start trying to get Joomla integrated. I beat my head into the wall a few time before I realized some of the Shib stuff wasn’t quite right. You can test your Shibboleth authentication by setting up a folder on your web server called something like /test and adding an entry into your Apache config:
AuthType shibboleth
ShibRequireSession On
require shibboleth
Then drop an index.php in that directory with
<?php print_r($_SERVER)>
Visit the /test URL in your favorite web browser and assuming all is working right, you should get directed to your Shibboleth login page and once successfully logged in your should see a page with the full headers from your Shibboleth Identity Provider. This is also a handy way to figure out where your usernames live in the header. You should see yours in REMOTE_USER and you can use that info in configuring the plug-ins as I described above.
I hope this helps (and I hope I haven’t forgotten anything)!
Wow, wonderful blog layout! How long have you been blogging for? you make blogging look easy. The overall look of your website is fantastic, let alone the content!. Thanks For Your article about Joomla and Shibboleth Stuff .
Really nice article. However, I prefer comercial systems because of safety reasons. For example pozycjonowanie gliwice. Thanks a lot.
Nice.
I think the admin of this website is genuinely working hard in
favor of his website, as here every data is quality based stuff.
Thanks for the joomla info but I am still a bit confused.
Thanks for this article. I don’t really understand :
I want my website users to be able to access to private content using SSO : do I really need to install everything (tomcat, java, shib) on my server ?
Thanks
Excellent beat ! I would like to apprentice while you amend your site, how can i subscribe for a weblog web site? The account aided me a appropriate deal. I were tiny bit familiar of this your broadcast offered brilliant clear concept
Wonderful paintings! That is the kind of information that are meant to be shared around the web. Shame on the seek engines for not positioning this put up higher! Come on over and visit my website . Thank you =)
I would not depart your blog in advance of hinting that I actually liked the most common data any person give on your own visitors? Are going to be just as before on a regular basis as a way to consider innovative discussions
I always emailed this web site post page to all my associates, as if
like to read it afterward my friends will too.