Configure the Captive Portal to Authenticate Users Against an IdP SAML 20 Using Shibboleth
-
Upload
manaf-hasibuan -
Category
Documents
-
view
49 -
download
2
description
Transcript of Configure the Captive Portal to Authenticate Users Against an IdP SAML 20 Using Shibboleth
Configure the Captive Portal to authenticate
users against an IdP SAML 2.0 using Shibboleth
This guide describes the configuration of the Captive Portal using a Shibboleth SAML 2.0 Identity
Provider belonging to an AAI (Authentication Authorization Infrastructure) single or Federated to
authenticate the users for network access.
Activate Shibboleth Authentication
From the form [Web Login Authentication Server] you can enable the Shibboleth authentication. In
addition, you can choose either the [On Demand] mode, in which the classic screen of the Captive
Portal appears for entering username and password and then the user has to press the [AAI] button to
be redirected to the WAYF/IdP URL or [Auto] mode with which the user is redirected directly to the
Identity Provider excluding the RADIUS/Kerberos 5 authentication of the Captive Portal. The field [SP
EntityID] represents the value for the entityID parameter with which the Captive Portal Service
Provider is registered in the metadata of the federation. Set this value before generating the metadata to
be sent to the manager of AAI Federation to which you want to register the Captive Portal.
Configuration of the Shibboleth module for Apache
From the panel shown below you can configure in more detail the Shibboleth module for Apache. In addition, from this panel, you can upgrade the software that
implements the Shibboleth Service Provider. The updates will be released in the form of a single packace which includes::
log4shib
opensaml 2
shibboleth-sp 2
xml-security-c
xmltooling
The updates will be available to the URL http://www.zeroshell.org/shibboleth where the procedure on how to build the updated packages from the source code is
available.
Shibboleth module configuration via Web File Editor
Given the high configurability of the Shibboleth SP module has been chosen to allow the managing of the configuration files manually using the web editor. However,
Zeroshell acts in part, pre-configuring some parameters.
Configuration Check
Before restarting Shibboleth, after a configuration change, you should always check the consistency of files located in /etc/shibboleth using the [Verify] button to highlight
the issues dividing them into warning, error, critical and fatal errors depending on the gravity.
Access permissions provided by the IdP environment variables
Generally, network access is not allowed simply if the user passes the authentication process, but must also be authorized by setting conditions on the environment
variables from the Sevice Provider based on the values of the attributes returned after the Identity Provider authentication is successful. One of the attributes often checked
to allow access is the attribute affiliation which indicates the membership of a user to a category of users.
Automatic or manual unlock of the URLs of the Identity Providers and WAYF
When setting up a Captive Portal as a Shibboleth Service Provider, you'll immediately notice the problem that the user must authenticate to be able to access the network
to an IdP that is usually located outdoors and is therefore blocked by the captive portal itself, thus generating a situation of deadlock. It is therefore desirable to have a
whitelist of IdP/WAYF part of the Federation. In the case of a single IdP it is immediate, while in the case of a Federation of AAI Identity Provider that dynamically
change this is onerous for the administrator of the Captive Portal. For this reason Zeroshell implements the auto-discovery of the URL of the Identity Providers and
WAYF. Note that Zeroshell not find those URLs using the Metadata of the Federation, since they may converge slowly to the real situation, but
interpreting the Service Provider redirections to the IdP/WAYF URLs. This promotes the formation of an automatic whitelist always instantly updated.
Captive Portal authentication page with Shibboleth configured
in On-Demand mode
The image below shows the captive portal login page when you Shibboleth authentication configure
On-Demand, that is also enabling RADIUS/Kerberos5 authentication on multi-domains. The structure
of this page can be customized by pressing the [Template] button, which leads directly to the HTML
code. As mentioned if you use the Mode [Auto], the WAYF/IdP authentication page appears directly.