Add links on the Plone login page for redirecting logins to Shibboleth.

ShibbolethLogin Package Readme

Overview

Add links on the Plone login page for redirecting logins to Shibboleth.

ShibbolethLogin replaces the /login_form with a with a slightly modified page that has links to zero or more Shibboleth "Where Are You From" (WAYF) servers, or directly to an Identity Provider (IdP).

Requirements

  • Zope and Plone. Tested with Zope 2.9.7 and Plone 2.5.3, and Zope 2.10.5 and Plone 3.0.6.

AutoUserMakerPASPlugin is not required, if you have some other means of handling the redirect from the Identity Provider.

Installation

  1. Unzip the ShibbolethLogin.zip file in $INSTANCE_HOME/Products.
  2. Restart Zope.
  3. Install the plugin:
    • If you're using Plone...
      1. Go to your-plone-site -> site setup -> Add/Remove Products, and install ShibbolethLogin.
    • If you're not using Plone...
      1. In the Zope Management Interface, navigate to your-plone-site -> acl_users.
      2. Add a "Shibboleth Login" to the folder.

Using Shibboleth Login

  1. In the ZMI, click the ShibbolethLogin instance in Plone's acl_users.
  2. Change the Shibboleth provider ID and the SHIRE URL, based on your shibboleth.xml configuration.
  3. Change the labels and URLs. The labels are the link labels users will see in the login page. Labels and URLs must be in the same order. The first example URL has 2 'localhost' items that should be replaced with the hostname of the WAYF server, and the WAYF server's location. These are defined in the Applications and SessionInitiator sections of your shibboleth.xml. The second example is for ProtectNetwork's Identity Provider.
  4. The example logout URL should have the same hostname as the first example login URL. The first login URL, and the logout URL configure Plone to use Shibboleth's 'lazy login'. This only works with local Identity Providers, not through a WAYF system. Shibboleth 2.0 will add better logout support. ShibbolethLogin will need to get updated for that.
  5. Change the redirect checkboxes and ports if needed.
  6. Click Save.

Design Rationale

The plan is for this to be a drop in plugin that works with existing themes, rather than having to modify a theme to accommodate Shibboleth logins. Any theme that modifies the login_form may need to have the theme's login_form changed by hand. Currently this doesn't do anything to the login portlet. Maybe I'll create a Shibboleth portlet in the future.

Testing

To run the ShibbolethLogin tests, use the standard Zope testrunner:

$INSTANCE_HOME/bin/zopectl test -s Products.ShibbolethLogin

Credits

Alan Brenner, of Ithaka Harbors, Inc., under the direction of the Research in Information Technology program of the Andrew W. Mellon Foundaton, wrote ShibbolethLogin. I'd like to thank Paul Yuergens of psych.ucla.edu, Li Cheng of pku.edu.cn and Yuri of alfa.it for testing.

Support

For right now, email alan DOT brenner AT ithaka DOT org. I'm sometimes on the #plone IRC channel as AlanBrenner.