Integration with OnePass on Linux (CUHK Login via ADFS)
(+852) 39438845
- ITSC User Satisfaction and Needs Survey 2021
- Closing of User Area on 26 Mar 2021 (2:00PM – 6:00PM)
- Phishing Alert: Follow Up Email Immediately
- SPSS and AMOS License Server Maintenance for Application Upgrade on 25 Apr
- Phishing Alert: Team Meeting (March)
Integration with OnePass on Linux (CUHK Login via ADFS)
Information included on this page will help you to install and use Shibboleth for authentication and integration with OnePass on an Linux or Windows or other servers.
1. Requirements
- Service Provider using Linux versions stated at https://wiki.shibboleth.net/confluence/display/SP3/SystemRequirements#SystemRequirements-Linux/Unix
- Apache is being started with SSL enabled
- SSO and SLO should be signed
- Assertion should be signed and encrypted
- Signing algorithm should be SHA256 for the federation
- The application server time must be kept up-to-date and accurate
- Logout button should be enhanced for global sign out OnePass session
2. Shibboleth Installation
- Find the repository tree for Shibboleth
- As root cd /etc/yum.repos.d, get the repository, e.g. for CentOS 7:
wget http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/security:shibboleth.repo - yum install shibboleth.x86_64 (for 64-bit machine, for 32-bit machine, use package “shibboleth”)
- SELinux enabled but permissive / SELinux disabled
- Restart shibboleth service and apache service
- Verify Shibboleth installation with
– yum info shibboleth.x86_64
– Open a web browser, go to https://localhost/Shibboleth.sso/Status (case sensitive), it should return an XML document with:
<Status><OK/></Status>
3. Basic Configuration of Shibboleth (/etc/shibboleth/shibboleth2.xml)
**The configuration below is for your reference only. Some parameters and paths may be different with different Shibboleth versions / sub-versions. Kindly double-check the corresponding path name/certificate name in your configuration file.
- Default configuration files should be found in /etc/shibboleth/
- An apache configuration file for Shibboleth should be found in /etc/httpd/conf.d/shib.conf
- In /etc/shibboleth, update below information on shibboleth2.xml
| ApplicationDefaults, update entityID=”sp.example.org” to your application hostname, change REMOTE_USER=”NameID”, add signingAlg=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256″ digestAlg=”SHA256″ e.g. <ApplicationDefaults entityID=”https://abc.cuhk.edu.hk/shibboleth” REMOTE_USER=”eppn persistent-id NameID” signingAlg=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256″ digestAlg=”SHA256″> |
| Sessions lifetime: update to “28800”, timeout: update to “1200” |
| SSO entityID, should be updated to OnePass entityID, the entityIDs for UAT / production environments are provided by OnePass support. |
| Handle type: update to “MetadataGenerator”, signing: update to “true” |
| Errors supportContact: update to a valid email address for the person managing the SP configuration |
| MetadataProvider type: update the url to OnePass UAT / Production environments which will be provided by OnePass Support. |
- Restart shibd and httpd after configuration, and check any error at /var/log/shibboleth/
- Sample shibboleth2.xml for Linux host and OnePass testing environment
4. Modification for Attributes Mapping
- Core Attributes (The attributes are released by default)
- such as Email Address, Role (Staff/Student/Alumni), Display Name
- Additional attributes
- Upon request and requires approval
For more information about the specifics of the attributes released, please contact ITSC Service Desk.
5. Integration Work with OnePass Team
- Provide your CADS no. to OnePass Team
- The entity ID of your application
- Metadata URL (The default is https://{yourhostname}/Shibboleth.sso/Metadata), must be accessible from campus network
- The core attributes would be passed to your application by default, additional attributes need by request
- Include OnePass Logout URL plus your application logout together for your logout button
- OnePass team would import your metadata and have configuration on OnePass Testing platform, email notification with testing accounts would be sent to you once ready for test
- Test completion, vulnerability scanning must be pass before migrating to OnePass Production environment
6. Simple Test
- Remember to clean up your browser cache first, it’ll be good to use incognito or InPrivate mode for testing
- Assume PHP is installed in your server
- By default, your server’s path /secure is protected by OnePass. If you want to change it, please refer to /etc/httpd/conf.d/shib.conf
- The core attributes would be passed to your application by default, additional attributes need by request
- Create a test.php in your /secure/test.php to show phpinfo()
<% php phpinfo() %> - Open a browser to access https://{yourhostname}/secure/test.php
- You will be redirected to OnePass login page, key in valid Login ID and password
- You should be able to authenticate and find your Login ID in server variable NameID and REMOTE_USER
e.g. for php to get the LoginID using php variable: echo ‘LoginID:’ . $_SERVER[‘NameID’] - Logout, you will be redirected to OnePass Logout page. Access your website again and see if you have to fill in your credential to login OnePass
