Authentication using Shibboleth

This SecurityModule allows authentication using a native Shibbolet Service Provider (SP) for Windows. Installation and configuration of the Shibboleth runtime is not covered here and for more information, head to the Shibboleth documentation.

Prerequisites

A configured Shibboleth SP on the ImageVault site. Since some of the resources on ImageVault can be accessed by non authenticated users, we need to configure the RequestMap accordingly to the example below to excluded those resources.

Example configuration for the RequestMapper in shibboleth2.xml

<RequestMapper type="Native">
    <RequestMap>
        <Host name="mysite.imagevault.se" authType="shibboleth" requireSession="true">
            <Path name="account/loggedout" requireSession="false"/>
            <Path name="error" requireSession="false"/>
            <Path name="gallery" requireSession="false"/>
            <Path name="images" requireSession="false"/>
            <Path name="localization" requireSession="false"/>
            <Path name="publishedmedia" requireSession="false"/>
            <Path name="script" requireSession="false"/>
            <Path name="share" requireSession="false"/>
            <Path name="shares" requireSession="false"/>
            <Path name="styles" requireSession="false"/>
            <Path name="w3c" requireSession="false"/>
            <Path name="ziparchive" requireSession="false"/>
            <Path name="apiv2" requireSession="false"/>
        </Host>
    </RequestMap>
</RequestMapper>

The Shibboleth must also be configured to pass in the user information as request headers. The following attributes must be passed along

  • Unique user identity. (Often eppn or any other unique attribute)
  • Name of user
  • [Optional] attributes with group information

ImageVault Ui

To allow ImageVault to pick up the user information you need to configure a SecurityManager in web.config.

Authentication

When using Shibboleth authentication, the authentication mode must be set to None.

<system.web>
    <authentication mode="None"/>

ConnectionStrings

To use Shibboleth with ImageVault add/modify the connection string named ImageVaultSecurityManager.

<connectionStrings>
    <add name="ImageVaultSecurityManager" 
         connectionString="authIdentityHeader=eppn;authRolesIdentityHeader=affilation;authRolesIdentityHeaderRegex=([^,\s]+);authNameHeader=displayName" 
         providerName="ImageVault.Shibboleth.Providers.ShibbolethSecurityManager,ImageVault.Shibboleth.Providers" />
</connectionStrings>

name

Must be ImageVaultSecurityManager for the Ui to detect which connectionstring that should be used for the SecurityManager

providerName

Tells ImageVault which SecurityManager it will use (See the ISecurityManager for more information)

For Shibboleth, use the following providerName: ImageVault.Shibboleth.Providers.ShibbolethSecurityManager,ImageVault.Shibboleth.Providers

connectionString

This is a key value string where key and value are separated by = and each pair is terminated with a ;

Here comes a list of the possible keys (keys are cases in-sensitive)

authIdentityHeader

The name of the request header that contains the user unique identity.

Default value is eppn.

authRolesIdentityHeader

The name of the request header that contains the users group affiliation value.

Default value is affiliation

authRolesIdentityHeaderRegex

The regular expression used to identify roles of the user. The expression will be run on the roles identity header value and for each successful match, a role will be added from the first match group ($1).

Default value is ([^,\s]+)

authNameHeader

The name of the request header that contains the name of the user (aka display name).

authCookieRegex

Since Shibboleth sets a cookie to keep a session going, this cookie needs to be cleared when signing out. You can set a regular expression on what cookies should be cleared when a sign out command is issued.

Default value is shibsession

logoutUrl

You can also trigger a redirect to an external page when sign out occurs if you would like the user to trigger a sign out at some other system. In that case, fill in the url to that page in this parameter. If left unspecified, this function is not triggered.

No default value

logoutUrlReturnUrlParameter

If you specify the logoutUrl, you can define a query string parameter that the url accepts that supplies the landing page after a successful logout request. If so, the ImageVault signed out landing page is supplied

No default value