External authentication / Shibboleth
The Asio Classroom Booking System has an interface for utilizing an external system for storing user information and authenticating users. One of these implementations is to Shibboleth, an open-source single-signon user administration system. This document contains instructions for installing and configuring the Shibboleth interface. Please note that this document does not detail the process of installing the building blocks of the Shibboleth infrastructure but focuses on describing the Shibboleth-to-Asio interface.
Shibboleth integration with Asio Classroom Booking System
From the point of view of the Asio software, the Shibboleth infrastructure consists of two entities:
- An identity provider (called "origin" prior to version 1.3), which provides information on the user's identity for the Asio software
- A service provider (called "target" prior to version 1.3), which provides the Asio Classroom Booking system an interface to Shibboleth
Whenever a user logs in to the Asio Classroom Booking system that is utilizing Shibboleth-based authentication, the following process takes place:
- The Asio authentication interface notices that the user has not logged in, and redirects the user to the address of the "shiblogin" subdirectory, which is located under the Asio's main program directory.
- The Shibboleth module in Apache activates, the user logs in via Shibboleth's web login and the Shibboleth's session is established
- Asio Shibboleth Module passes the Shibboleth session attributes to the authentication interface.
- Shibboleth attributes "eduPersonAffiliation" and "eduPersonPrimaryAffiliation" are set as group memberships for the user. (You can utilize this information in configuring the profiler.)
- User is profiled according to profiler settings and a session is established
Requirements
System requirements for using the Asio Shibboleth Module are as follows:
- Identity attributes must be stored according to HAKA Federation specification.
- Apache web server with the Shibboleth module installed and properly configured according to the organization's infrastructure.
- Shibboleth authentication must be enabled from Apache for the "shiblogin" subdirectory.
- Shibboleth module must be set as the active authentication interface for the Asio software
Enabling external authentication for Asio software
Following list gives step-by-step instructions on how to enable and configure the Shibboleth authentication for Asio software:
- Open the software's main configuration file inc/server_settings.php into a text editor.
- Find the entry labeled $ext_udb_config. This PHP array contains connection settings for Shibboleth. Please go through at least the following entries:
- "domain_name" = A human-readable name for the system, for example the global domain of your company, for example "company.net"
- "database" = Database of the classroom booking system to which the external authentication gives access to. You should specify the previously mentioned organization's database name here.
- "show_info" = Whether or not to show summary of user's profile on the main page (for debugging purposes)
- Find the entry labeled $ext_profiler_config. This PHP array contains settings for profiling external user information into Asio software's user privileges.
- "admin_groups" = Values of "eduPersonAffiliation" which have administration privileges in the Asio software. The setting is given as a PHP array, for example as follows:
array("administration","maintenance") - "normal_groups" = Values of "eduPersonAffiliation" which have booking privileges to the Asio software.
- "browsing_groups" = Windows user groups which have browsing only access to the Asio software. You can specify a wildcard "*" here, which will give all registered Windows users browsing access.
- "browsing_types" = Resource type limitation for browsing users. The setting is given as a PHP array, for example as follows:
array("Computer classes","Meeting rooms")
Similarly you can define resource type limitation for administrators and booking users with settings admin_types and normal_types. - "ROLE_groups" = Windows user groups which belong to the Asio system's role ROLE. You can specify a wildcard "*" here. (starting from classroom booking system version 7)
- "roles" = Role priorities. The system sets the role for the user as the first one on this list matching the user's groups. Thus you should specify the roles on this list in such order that the role giving most access privileges comes first. (starting from classroom booking system version 7)
- "admin_groups" = Values of "eduPersonAffiliation" which have administration privileges in the Asio software. The setting is given as a PHP array, for example as follows:
- Enable Shibboleth authentication interface by copying or linking the file inc/ext_auth.php.shib to inc/ext_auth.php.