This guide describes the configuration of the Captive Portal using a Shibboleth SAML 2.0 Identity Provider belonging to an AAI (Authentication Authorization Infrastructure) single or Federated to authenticate the users for network access.
Note that this document is still in draft form and is mostly a collection of screenshots.
The discussion is divided into the following sections:
- Activate Shibboleth Authentication
- Configuration of the Shibboleth module for Apache
- Shibboleth module configuration via Web File Editor
- Configuration Check
- Access permissions provided by the IdP environment variables
- Automatic or manual unlock of the URLs of the Identity Providers and WAYF
- Captive Portal authentication page with Shibboleth configured in On-Demand mode
From the form [Web Login Authentication Server] you can enable the Shibboleth authentication. In addition, you can choose either the [On Demand] mode, in which the classic screen of the Captive Portal appears for entering username and password and then the user has to press the [AAI] button to be redirected to the WAYF/IdP URL or [Auto] mode with which the user is redirected directly to the Identity Provider excluding the RADIUS/Kerberos 5 authentication of the Captive Portal. The field [SP EntityID] represents the value for the entityID parameter with which the Captive Portal Service Provider is registered in the metadata of the federation. Set this value before generating the metadata to be sent to the manager of AAI Federation to which you want to register the Captive Portal.
From the panel shown below you can configure in more detail the Shibboleth module for Apache. In addition, from this panel, you can upgrade the software that implements the Shibboleth Service Provider. The updates will be released in the form of a single packace which includes::
- opensaml 2
- shibboleth-sp 2
The updates will be available to the URL https://www.zeroshell.org/shibboleth where the procedure on how to build the updated packages from the source code is available.
Given the high configurability of the Shibboleth SP module has been chosen to allow the managing of the configuration files manually using the web editor. However, Zeroshell acts in part, pre-configuring some parameters.
Before restarting Shibboleth, after a configuration change, you should always check the consistency of files located in /etc/shibboleth using the [Verify] button to highlight the issues dividing them into warning, error, critical and fatal errors depending on the gravity.
Generally, network access is not allowed simply if the user passes the authentication process, but must also be authorized by setting conditions on the environment variables from the Sevice Provider based on the values of the attributes returned after the Identity Provider authentication is successful. One of the attributes often checked to allow access is the attribute affiliation which indicates the membership of a user to a category of users.
When setting up a Captive Portal as a Shibboleth Service Provider, you’ll immediately notice the problem that the user must authenticate to be able to access the network to an IdP that is usually located outdoors and is therefore blocked by the captive portal itself, thus generating a situation of deadlock. It is therefore desirable to have a whitelist of IdP/WAYF part of the Federation. In the case of a single IdP it is immediate, while in the case of a Federation of AAI Identity Provider that dynamically change this is onerous for the administrator of the Captive Portal. For this reason Zeroshell implements the auto-discovery of the URL of the Identity Providers and WAYF. Note that Zeroshell not find those URLs using the Metadata of the Federation, since they may converge slowly to the real situation, but interpreting the Service Provider redirections to the IdP/WAYF URLs. This promotes the formation of an automatic whitelist always instantly updated.
The image below shows the captive portal login page when you Shibboleth authentication configure On-Demand, that is also enabling RADIUS/Kerberos5 authentication on multi-domains. The structure of this page can be customized by pressing the [Template] button, which leads directly to the HTML code. As mentioned if you use the Mode [Auto], the WAYF/IdP authentication page appears directly. .