Integration with OnePass on Linux (CUHK Login via ADFS)

Information included on this page will help you to install and use Shibboleth for authentication and integration with OnePass on an Linux or Windows or other servers.

 

1. Requirements
2. Shibboleth Installation

 

3. Basic Configuration of Shibboleth (/etc/shibboleth/shibboleth2.xml)

**The configuration below is for your reference only. Some parameters and paths may be different with different Shibboleth versions / sub-versions. Kindly double-check the corresponding path name/certificate name in your configuration file.

  • Default configuration files should be found in /etc/shibboleth/
  • An apache configuration file for Shibboleth should be found in /etc/httpd/conf.d/shib.conf
  • In /etc/shibboleth, update below information on shibboleth2.xml
ApplicationDefaults, update entityID=”sp.example.org” to your application hostname, change REMOTE_USER=”NameID”, add signingAlg=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256″ digestAlg=”SHA256″
e.g. <ApplicationDefaults entityID=”https://abc.cuhk.edu.hk/shibboleth” REMOTE_USER=”eppn persistent-id NameID” signingAlg=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256″ digestAlg=”SHA256″>
Sessions lifetime: update to “28800”, timeout: update to “1200”
SSO entityID, should be updated to OnePass entityID, the entityIDs for UAT / production environments are provided by OnePass support.
Handle type: update to “MetadataGenerator”, signing: update to “true”
Errors supportContact: update to a valid email address for the person managing the SP configuration
MetadataProvider type: update the url to OnePass UAT / Production environments which will be provided by OnePass Support.
  • Restart shibd and httpd after configuration, and check any error at /var/log/shibboleth/
  • Sample shibboleth2.xml for Linux host and OnePass testing environment

 

4. Modification for Attributes Mapping
  • Core Attributes (The attributes are released by default)
    • such as Email Address, Role (Staff/Student/Alumni), Display Name
  • Additional attributes
    • Upon request and requires approval

For more information about the specifics of the attributes released, please contact ITSC Service Desk.

 

5. Integration Work with OnePass Team
  • Provide your CADS no. to OnePass Team
  • The entity ID of your application
  • Metadata URL (The default is https://{yourhostname}/Shibboleth.sso/Metadata), must be accessible from campus network
  • The core attributes would be passed to your application by default, additional attributes need by request
  • Include OnePass Logout URL plus your application logout together for your logout button
  • OnePass team would import your metadata and have configuration on OnePass Testing platform, email notification with testing accounts would be sent to you once ready for test
  • Test completion, vulnerability scanning must be pass before migrating to OnePass Production environment.
  • Please schedule the production with OnePass Team 3 working days in advance.

 

6. Simple Test
  • Remember to clean up your browser cache first, it’ll be good to use incognito or InPrivate mode for testing
  • Assume PHP is installed in your server
  • By default, your server’s path /secure is protected by OnePass. If you want to change it, please refer to /etc/httpd/conf.d/shib.conf
  • The core attributes would be passed to your application by default, additional attributes need by request
  • Create a test.php in your /secure/test.php to show phpinfo()
    <% php phpinfo() %>
  • Open a browser to access https://{yourhostname}/secure/test.php
  • You will be redirected to OnePass login page, key in valid Login ID and password
  • You should be able to authenticate and find your Login ID in server variable NameID and REMOTE_USER
    e.g. for php to get the LoginID using php variable: echo ‘LoginID:’ . $_SERVER[‘NameID’]
  • Logout, you will be redirected to OnePass Logout page. Access your website again and see if you have to fill in your credential to login OnePass