Configure the Captive Portal to authenticate users against an IdP SAML 2.0 using Shibboleth

This guide describes the configuration of the Captive Portal using a Shibboleth SAML 2.0 Identity Provider belonging to an AAI (Authentication Authorization Infrastructure) single or Federated to authenticate the users for network access.

Note that this document is still in draft form and is mostly a collection of screenshots.

The discussion is divided into the following sections:

Activate Shibboleth Authentication

From the form [Web Login Authentication Server] you can enable the Shibboleth authentication. In addition, you can choose either the [On Demand] mode, in which the classic screen of the Captive Portal appears for entering username and password and then the user has to press the [AAI] button to be redirected to the WAYF/IdP URL or [Auto] mode with which the user is redirected directly to the Identity Provider excluding the RADIUS/Kerberos 5 authentication of the Captive Portal. The field [SP EntityID] represents the value for the entityID parameter with which the Captive Portal Service Provider is registered in the metadata of the federation. Set this value before generating the metadata to be sent to the manager of AAI Federation to which you want to register the Captive Portal.

Configuring SAML 2.0 Authentication for the Captive Portal
Configuring SAML 2.0 Authentication for the Captive Portal

Configuration of the Shibboleth module for Apache

From the panel shown below you can configure in more detail the Shibboleth module for Apache. In addition, from this panel, you can upgrade the software that implements the Shibboleth Service Provider. The updates will be released in the form of a single packace which includes::

  • log4shib
  • opensaml 2
  • shibboleth-sp 2
  • xml-security-c
  • xmltooling

The updates will be available to the URL https://www.zeroshell.org/shibboleth where the procedure on how to build the updated packages from the source code is available.

Shibboleth Configuration Module
Shibboleth Configuration Module

Shibboleth module configuration via Web File Editor

Given the high configurability of the Shibboleth SP module has been chosen to allow the managing of the configuration files manually using the web editor. However, Zeroshell acts in part, pre-configuring some parameters.

Shibboleth Configuration Editor
Shibboleth Configuration Editor

Configuration Check

Before restarting Shibboleth, after a configuration change, you should always check the consistency of files located in /etc/shibboleth using the [Verify] button to highlight the issues dividing them into warning, error, critical and fatal errors depending on the gravity.

Shibboleth Configuration Check Utility
Shibboleth Configuration Check Utility

Access permissions provided by the IdP environment variables

Generally, network access is not allowed simply if the user passes the authentication process, but must also be authorized by setting conditions on the environment variables from the Sevice Provider based on the values ​​of the attributes returned after the Identity Provider authentication is successful. One of the attributes often checked to allow access is the attribute affiliation which indicates the membership of a user to a category of users.

Shibboleth Authorization Filters
Shibboleth Authorization Filters

Automatic or manual unlock of the URLs of the Identity Providers and WAYF

When setting up a Captive Portal as a Shibboleth Service Provider, you’ll immediately notice the problem that the user must authenticate to be able to access the network to an IdP that is usually located outdoors and is therefore blocked by the captive portal itself, thus generating a situation of deadlock. It is therefore desirable to have a whitelist of IdP/WAYF part of the Federation. In the case of a single IdP it is immediate, while in the case of a Federation of AAI Identity Provider that dynamically change this is onerous for the administrator of the Captive Portal. For this reason Zeroshell implements the auto-discovery of the URL of the Identity Providers and WAYF. Note that Zeroshell not find those URLs using the Metadata of the Federation, since they may converge slowly to the real situation, but interpreting the Service Provider redirections to the IdP/WAYF URLs. This promotes the formation of an automatic whitelist always instantly updated.

IdP and WAYF Autodiscovery and Manual Whitelist
IdP and WAYF Autodiscovery and Manual Whitelist

Captive Portal authentication page with Shibboleth configured in On-Demand mode

The image below shows the captive portal login page when you Shibboleth authentication configure On-Demand, that is also enabling RADIUS/Kerberos5 authentication on multi-domains. The structure of this page can be customized by pressing the [Template] button, which leads directly to the HTML code. As mentioned if you use the Mode [Auto], the WAYF/IdP authentication page appears directly. .

Captive Portal configured for On-demand SAML Authentication
Captive Portal configured for On-demand SAML Authentication