ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal


      What is it?
      Screenshots
      License
      Announcements
      Mailing List
      Forum
      Documentation  
      FAQ
      Hardware
      Download
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me


  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Performances
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      QoS
      OpenDNS
      Kerberos 5
      NIS and LDAP
      X.509 Certificates
      RADIUS
      VPN
      Firewall


Valid HTML 4.01 Transitional

Configure the Captive Portal to authenticate users against an IdP SAML 2.0 using Shibboleth

This guide describes the configuration of the Captive Portal using a Shibboleth SAML 2.0 Identity Provider belonging to an AAI (Authentication Authorization Infrastructure) single or Federated to authenticate the users for network access.

Note that this document is still in draft form and is mostly a collection of screenshots.

The discussion is divided into the following sections:

Activate Shibboleth Authentication

From the form [Web Login Authentication Server] you can enable the Shibboleth authentication. In addition, you can choose either the [On Demand] mode, in which the classic screen of the Captive Portal appears for entering username and password and then the user has to press the [AAI] button to be redirected to the WAYF/IdP URL or [Auto] mode with which the user is redirected directly to the Identity Provider excluding the RADIUS/Kerberos 5 authentication of the Captive Portal. The field [SP EntityID] represents the value for the entityID parameter with which the Captive Portal Service Provider is registered in the metadata of the federation. Set this value before generating the metadata to be sent to the manager of AAI Federation to which you want to register the Captive Portal.


Activate Shibboleth Authentication


Configuration of the Shibboleth module for Apache


From the panel shown below you can configure in more detail the Shibboleth module for Apache. In addition, from this panel, you can upgrade the software that implements the Shibboleth Service Provider. The updates will be released in the form of a single packace which includes::
  • log4shib
  • opensaml 2
  • shibboleth-sp 2
  • xml-security-c
  • xmltooling
The updates will be available to the URL http://www.zeroshell.org/shibboleth where the procedure on how to build the updated packages from the source code is available.


Configuration of the Shibboleth module for Apache

Shibboleth module configuration via Web File Editor


Given the high configurability of the Shibboleth SP module has been chosen to allow the managing of the configuration files manually using the web editor. However, Zeroshell acts in part, pre-configuring some parameters.


Shibboleth module configuration via Web File Editor

Configuration Check


Before restarting Shibboleth, after a configuration change, you should always check the consistency of files located in /etc/shibboleth using the [Verify] button to highlight the issues dividing them into warning, error, critical and fatal errors depending on the gravity.


Configuration Check (shibd -t)

Access permissions provided by the IdP environment variables


Generally, network access is not allowed simply if the user passes the authentication process, but must also be authorized by setting conditions on the environment variables from the Sevice Provider based on the values ​​of the attributes returned after the Identity Provider authentication is successful. One of the attributes often checked to allow access is the attribute affiliation which indicates the membership of a user to a category of users.


Access permissions provided by the IdP environment variables

Automatic or manual unlock of the URLs of the Identity Providers and WAYF


When setting up a Captive Portal as a Shibboleth Service Provider, you'll immediately notice the problem that the user must authenticate to be able to access the network to an IdP that is usually located outdoors and is therefore blocked by the captive portal itself, thus generating a situation of deadlock. It is therefore desirable to have a whitelist of IdP/WAYF part of the Federation. In the case of a single IdP it is immediate, while in the case of a Federation of AAI Identity Provider that dynamically change this is onerous for the administrator of the Captive Portal. For this reason Zeroshell implements the auto-discovery of the URL of the Identity Providers and WAYF. Note that Zeroshell not find those URLs using the Metadata of the Federation, since they may converge slowly to the real situation, but interpreting the Service Provider redirections to the IdP/WAYF URLs. This promotes the formation of an automatic whitelist always instantly updated.


IdP Autodiscovery

Captive Portal authentication page with Shibboleth configured in On-Demand mode


The image below shows the captive portal login page when you Shibboleth authentication configure On-Demand, that is also enabling RADIUS/Kerberos5 authentication on multi-domains. The structure of this page can be customized by pressing the [Template] button, which leads directly to the HTML code. As mentioned if you use the Mode [Auto], the WAYF/IdP authentication page appears directly. .

Captive Portal authentication page with Shibboleth configured in On-Demand mode



    Copyright (C) 2005-2013 by Fulvio Ricciardi