Configure a Shibboleth Service Provider
The following describes how to set up a Shibboleth Service Provider to enable SAML authentication via an Identity Provider configured on ArcGIS Portal.
The workflow described here for installation and configuration of third party software is not part of the WebOffice standard support. The VertiGIS Professional Services team will be happy to support you with questions or to take care of the installation and configuration (fee-required). |
Conceptual overview
If WebOffice is configured via SAML authentication in the way described here, a session at the portal / IDP is always required to access WebOffice projects.
If no corresponding session headers are available, no access to a WebOffice project is possible.
In this case WebOffice will forward the user to Portal for ArcGIS for authentication.
WebOffice authenticates itself against Portal for ArcGIS or ArcGIS Server via Oauth.
Portal for ArcGIS recognizes that there is no session and forwards the user to the Identity Provider for authentication, where the user can log in.
If the login to the Identity Provider is successful, it will send the user information back to the Service Provider. The user attributes are mapped into HTTP headers using the configured mapping.
Based on these headers and the corresponding group restrictions or permissions configured in the UMDB, it is determined whether the user has access to the project, the main map service and the other map services.
If this is guaranteed, the user can access the WebOffice project.
The headers remain stored in the session. As soon as the user opens a WebOffice project again, the WebOffice application server recognizes the available headers and no new authentication is required.
Shibboleth installation and configuration
Several steps are required to set up a Shibboleth Service Provider.
The latest available version of the Shibboleth Service Provider can be downloaded from the following URL:
https://shibboleth.net/downloads/service-provider/latest/win64/
After successful installation a restart of the computer is required.
After the installation, it is possible to test in the browser by calling https://localhost/Shibboleth.sso/Status whether the installation was done correctly - in this case the status OK is returned.
The metadata can be downloaded via https://localhost/Shibboleth.sso/Metadata and saved as XML file. These must be deposited at the Identity Provider.
Afterwards the <Shibboleth-SP>\etc\shibboleth\shibboleth2.xml has to be opened and the following adjustments have to be made:
•In the attribute RequestMapper > RequestMap > Host > Path requireSession=false must be set.
•In the attribute SPConfig > InProcess > ISAPI > Site the property name must be set to the external host name.
•In the attribute SPConfig > RequestMapper > RequestMap > Host name must also be set to the external host name
•In attribute SPConfig > RequestMapper > RequestMap > Host > Path name must be set to the WebOffice application name
•In attribute SPConfig > ApplicationDefaults the entityID has to be adjusted to https://[EXTERNAL-Servername.Domain]/shibboleth.
•In the attribute SPConfig > ApplicationDefaults > Sessions > SSO the entityID of the IdP has to be entered.
•In the attribute SPConfig > ApplicationDefaults > Sessions > Logout SAML2 Local has to be changed to SAML2.
•In attribute SPConfig > ApplicationDefaults > Sessions > Handler with type="Session" set showAttributeValues to true.
•In the attribute SPConfig > ApplicationDefaults > Errors > Handler the parameter supportContact can be changed to a suitable mail address.
•In the attribute SPConfig > ApplicationDefaults MetadataProvider has to be commented out and the path to the metadata XML has to be specified accordingly.
•In the attribute SPConfig > ApplicationDefaults > AttributeExtractor the following configuration is to be entered instead of the existing one:
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml">
<AttributeExtractor type="Assertion" AuthnInstant="HTTP_AUTHENTICATE_TIME" />
Furthermore the <Shibboleth-SP>\etc\shibboleth\attribute-map.xml has to be opened.
Basically all listed attributes can be deleted and the required attributes can be entered, e.g.:
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" id="AUTHENTICATE_NAMEID">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="urn:oid:2.5.4.42" id="AUTHENTICATE_GIVENNAME">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:2.5.4.4" id="AUTHENTICATE_PRINCIPALNAME">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="AUTHENTICATE_MAIL">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:2.16.840.1.113719.1.1.4.1.25" id="AUTHORIZE_ROLES">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
In IIS, check on the Default Web Site whether the ISAPI_shib.dll is listed under ISAPI Filter, otherwise add it manually.
After these configurations the Shibboleth service and the IIS have to be restarted.
Creating the files in the WebOffice application
Afterwards the two files login_shibboleth.jsp and logout_shibboleth.jsp have to be created in the WebOffice application (e.g. C:\Tomcat\webapps\WebOffice\login_shibboleth.jsp).
The login_shibboleth.jsp is to be filled with the following content:
<%@page import="com.mysynergis.core.controller.jsp.JspUtilAuth"%>
<%@page import="com.mysynergis.core.util.http.servlet.HttpRequestWrapper"%>
<%@page contentType="text/html"; charset="UTF-8" pageEncoding="UTF-8" %>
<%
// the shibboleth handler to be used for login
String handlerUrlPvp = "https://[EXTERNER-Servername.Domäne]/Shibboleth.sso";
String loginChoicePvp = JspUtilAuth.getShibbolethLoginWithPvpLoginTarget(handlerUrlPvp, HttpRequestWrapper.fromRequest(request));
// this will directly send the 302 redirect to the shibboleth login
response.sendRedirect(loginChoicePvp);
%>
It is essential to adjust the handlerUrlPvp. |
The logout_shibboleth.jsp is to be filled with the following content:
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<%
// JSP called from AUTHENTICATION_PVP >>> e.g.: portal_url_logout="<https://[EXTERNER-Servername.Domäne]/wO_application>/logout_shibboleth_iis.jsp"
// this will directly send the 302 redirect to the shibboleth logout
response.sendRedirect(https://[EXTERNER-Servername.Domäne]/Shibboleth.sso/Logout);
%>
It is necessary to adjust the parameter for response.sendRedirect! |
Adjustments in the WebOffice Application Configuration
In the WebOffice author standalone Application configuration the User Management must be activated and Portalverbundprotokoll must be selected as Authentication type.
The user attribute and the role attribute must be filled according to the transferred attributes.
The created Login_shibboleth.jsp must be specified as the Portal page.
As Logout page standard https://[EXTERNAL-server-name.domain/Shibboleht.sso/Logout].
Use role information only must be mandatorily on True.
In addition, the Portal Session Headers sub-node can be added to enter the other attributes specified in the Attribute Map in further sub-nodes.
In ArcGIS Enterprise Portal an application WebOffice has to be created, see chapter WebOffice with ArcGIS Enterprise (Portal for ArcGIS) and SSO authentication. |