Friday, May 14, 2010

How to Shibbolize uPortal 3.2.1

This assumes you've already setup the Java 6 SDK, uPortal 3.2.1, Shibboleth, and know that Shibboleth is sending the username to Tomcat via a REMOTE_USER header. It also assumes you have added the tomcatAuthentication="false" to all relevant connectors in Tomcat 6's server.xml. For assistance with these tasks, go to the official site and the shibboleth-users mailing list.

Before you start, you'll probably want to add an admin user with the same ID as that which will come through via REMOTE_USER from Shibboleth. If you don't, you can just change "admin" to your username in UP_USER.USER_NAME, UP_PERSON_DIR.USER_NAME, and in UP_GROUP_MEMBERSHIP.MEMBER_KEY.

After doing all that, here is one way to Shibbolize uPortal v3.2.1. This assumes you don't need any authN except Shibboleth:

Edit WEB-INF/classes/layout/theme/universality/components.xsl

 <xsl:template name="login">
    <div id="portalLogin" class="fl-widget">
      <div class="fl-widget-inner">
        <form method="post" action="Login">
            <fieldset id="portalLogin">
                <ul><li><input class="uportal-button" name="Login" value="Login" type="submit" /></li></ul>
                <xsl:apply-templates/>
            </fieldset>
        </form>
      </div>
    </div>                             
  </xsl:template> 

This assumes that you have configured Shibboleth to guard Login under uPortal (example: https://employees.acme.com/uPortal/Login). It also assumes you are using that theme. For mobile support, make a similar change to WEB-INF/classes/layout/theme/muniversality/components.xsl.

I also modified WEB-INF/classes/org/jasig/portal/channels/CLogin/html.xsl with the following. This is the template for local login and it shouldn't be used if you make the change above.

   <xsl:template match="login-status">
        <form method="post" action="Login">
            <fieldset id="portalLogin">
                <ul><li><input class="uportal-button" name="Login" value="Login" type="submit" /></li></ul>
                <xsl:apply-templates/>
            </fieldset>
        </form>  
    </xsl:template>

Edit WEB-INF/classes/properties/contexts/userContext.xml

<!--<bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager"/> -->
<bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager"/>

Edit WEB-INF/classes/properties/security.properties

## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.remoteuser=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasAssertionSecurityContextFactory
#root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory

...

## Answers where the user will be redirected when log out occurs. Each security context can have one.
## (See comments in the LogoutServlet class)
## It would be better to escape the value of the url parameter, but since there are no parameters on the
## unescaped URL and since there are no further parameters on the logout URL, this does work.
#logoutRedirect.root=http://localhost:8080/cas/logout?url=http://localhost:8080/uPortal/Login
logoutRedirect.root=/Shibboleth.sso/Logout

There is a better way of doing this that would allow it to be an option along with local login and CAS, and I offered to provide such a patch to uPortal, but there didn't seem to be any interest, so I didn't spend additional time on it.

See also:
* https://spaces.internet2.edu/display/ShibuPortal/Shibbing+uPortal+JA-SIG+Session
* https://spaces.internet2.edu/display/ShibuPortal/Home
* https://spaces.internet2.edu/display/ShibuPortal/Portal+Design

No comments: