Shibboleth allows users to use a single username/password to sign into the system and related but independent software applications.
User access can be controlled using an attribute configured on user accounts that have Shibboleth content protection enabled. When a user initially creates a user account using their Shibboleth credentials, the system reads a designated Shibboleth attribute and sets the security groups on the user accordingly.
To access the Shibboleth, navigate to the Registry - System::Application::External Authentication::Shibboleth node. If you did not have an existing Shibboleth implementation, this node will not appear.
|
Information The site(s) using Shibboleth authentication must have the site's base URL entered in the Content Management - Site|Basic page's 'Site URL(s)' field and 'Payment Return URL' field. |
Field |
Description |
Group Attribute Name |
Enter the name of the Shibboleth attribute that the system will read to set the appropriate group against the user. The name should be the Apache standard name (the name as it is passed by an Apache server). Contact your Shibboleth administrator for more information. Shibboleth must be configured to pass this attribute to AudienceView when users create their accounts. If you are configuring a value in this field, you must also complete the following on the System::Application::External Authentication::Shibboleth::Group Mapping node: •Label: Enter the GUID for the group that will be added to the user if the value in the 'Key' field is found. •Key: Enter the string value which the system should search for within the Shibboleth attribute. |
IDP Entity ID |
Enter the unique identifier of the client server that performs authentication. Typically, servers are https and the IDP Entity ID ends with /idp/shibboleth. |
SP Entity ID |
Enter the unique identifier of the server that performs authentication (it handles all communication between the system and the IDP) and has the Shibboleth Service Provider software installed. This is typically the same server as the application server. Typically, servers are https and the EntityID ends /shibboleth. |
SP URL |
Enter the URL where the service provider (SP) can be accessed. By default, this is /Shibboleth.sso on the server. |
SSO Interface |
Select the single sign-on (SSO) interface that is being used, currently the only valid value is Shibboleth. |
|
Information The groups set against the user will be the union of any groups defined as the default groups for customer users (configured in the Registry - Registry::EN::Business Objects::TScustomerBO::User::Group node's 'Default Value' field) plus any groups added as a result of the 'Group Attribute Name' configuration. |
Known Group Attribute Limitations
•The implementation only reads the Shibboleth attribute when the user is initially created. It does not check the attribute on subsequent logins. This means that once the recommended configuration is done, pre-existing users will not be able to create an event owner profile, even if they have the Shibboleth attribute permitting them to create profiles. Pre-existing users who require the permission will either need to be updated manually or through a script.
•When users are logged in and attempt to access a page that was been disabled (Event Owner Profile) through Application Security, they are returned the login page.
