Shibboleth implementation

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth implementation

Tom Hanstra-2
I've been trying to work on switching our login authorization to Shibboleth
using the information in the Koha Community Wiki. But I've hit some issues
which I've not been able to fully understand. For my particular site, the
SSO provider is an OKTA instance.

Anyone out there who has Koha working with this combination (Shibboleth and
OKTA)?  I could use some coaching through the various options.

Thanks,
Tom

--
*Tom Hanstra*
*Sr. Systems Administrator*
[hidden email]

<http://library.nd.edu/>
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth implementation

Admire Mutsikiwa
Seems to have solved the problem by cronning (scheduling) incremental zebra
re-index as follows
*/2 *  *  * * /usr/sbin/koha-rebuild-zebra --force instance

Kind regards


On Thu, May 2, 2019 at 7:29 PM Tom Hanstra <[hidden email]> wrote:

> I've been trying to work on switching our login authorization to Shibboleth
> using the information in the Koha Community Wiki. But I've hit some issues
> which I've not been able to fully understand. For my particular site, the
> SSO provider is an OKTA instance.
>
> Anyone out there who has Koha working with this combination (Shibboleth and
> OKTA)?  I could use some coaching through the various options.
>
> Thanks,
> Tom
>
> --
> *Tom Hanstra*
> *Sr. Systems Administrator*
> [hidden email]
>
> <http://library.nd.edu/>
> _______________________________________________
> Koha mailing list  http://koha-community.org
> [hidden email]
> https://lists.katipo.co.nz/mailman/listinfo/koha
>
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth implementation

Tom Hanstra-2
Looks like a response on the wrong thread.

In case anyone is reviewing casually, my Shibboleth issue is not resolved
and I could still use some assistance.

Tom

On Thu, May 2, 2019 at 2:07 PM Admire Mutsikiwa <[hidden email]>
wrote:

> Seems to have solved the problem by cronning (scheduling) incremental
> zebra re-index as follows
> */2 *  *  * * /usr/sbin/koha-rebuild-zebra --force instance
>
> Kind regards
>
>
> On Thu, May 2, 2019 at 7:29 PM Tom Hanstra <[hidden email]> wrote:
>
>> I've been trying to work on switching our login authorization to
>> Shibboleth
>> using the information in the Koha Community Wiki. But I've hit some issues
>> which I've not been able to fully understand. For my particular site, the
>> SSO provider is an OKTA instance.
>>
>> Anyone out there who has Koha working with this combination (Shibboleth
>> and
>> OKTA)?  I could use some coaching through the various options.
>>
>> Thanks,
>> Tom
>>
>> --
>> *Tom Hanstra*
>> *Sr. Systems Administrator*
>> [hidden email]
>>
>> <http://library.nd.edu/>
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> [hidden email]
>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>
>

--
*Tom Hanstra*
*Sr. Systems Administrator*
[hidden email]

<http://library.nd.edu/>
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth implementation

jcoehoorn
In reply to this post by Tom Hanstra-2
A note for the list: I managed to get this (mostly) working today, and then
spent some time updating the wiki page
<https://wiki.koha-community.org/wiki/Shibboleth_Configuration>, including
the sample shibboleth2.xml file, to make it much easier to follow for AD FS
folks.

I will still need to update the login template, since I also no longer ever
want my users to even see the username/password entry fields, but at least
the core SSO login piece works and it's an option if you happen to see the
"login with shibboleth" link.

Joel Coehoorn
Director of Information Technology
402.363.5603
*[hidden email] <[hidden email]>*

*Please contact [hidden email] <[hidden email]> for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society


On Thu, May 2, 2019 at 12:28 PM Tom Hanstra <[hidden email]> wrote:

> I've been trying to work on switching our login authorization to Shibboleth
> using the information in the Koha Community Wiki. But I've hit some issues
> which I've not been able to fully understand. For my particular site, the
> SSO provider is an OKTA instance.
>
> Anyone out there who has Koha working with this combination (Shibboleth and
> OKTA)?  I could use some coaching through the various options.
>
> Thanks,
> Tom
>
> --
> *Tom Hanstra*
> *Sr. Systems Administrator*
> [hidden email]
>
> <http://library.nd.edu/>
> _______________________________________________
> Koha mailing list  http://koha-community.org
> [hidden email]
> https://lists.katipo.co.nz/mailman/listinfo/koha
>
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth implementation

MartinRenvoize
Thanks for updating the wiki, sorry to hear it was out of date.. it's been
on my list to take a look at for a while and make sure it all still made
sense.

As an alternative to editing the templates and maintaining a local patch
yourself indefinitely.. it would be great to see a signoff on bug 18506 -
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506.

All the best,




On Fri, 24 May 2019, 7:01 pm Coehoorn, Joel, <[hidden email]> wrote:

> A note for the list: I managed to get this (mostly) working today, and then
> spent some time updating the wiki page
> <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>, including
> the sample shibboleth2.xml file, to make it much easier to follow for AD FS
> folks.
>
> I will still need to update the login template, since I also no longer ever
> want my users to even see the username/password entry fields, but at least
> the core SSO login piece works and it's an option if you happen to see the
> "login with shibboleth" link.
>
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603
> *[hidden email] <[hidden email]>*
>
> *Please contact [hidden email] <[hidden email]> for technical
> assistance.*
>
>
> The mission of York College is to transform lives through
> Christ-centered education and to equip students for lifelong service to
> God, family, and society
>
>
> On Thu, May 2, 2019 at 12:28 PM Tom Hanstra <[hidden email]> wrote:
>
> > I've been trying to work on switching our login authorization to
> Shibboleth
> > using the information in the Koha Community Wiki. But I've hit some
> issues
> > which I've not been able to fully understand. For my particular site, the
> > SSO provider is an OKTA instance.
> >
> > Anyone out there who has Koha working with this combination (Shibboleth
> and
> > OKTA)?  I could use some coaching through the various options.
> >
> > Thanks,
> > Tom
> >
> > --
> > *Tom Hanstra*
> > *Sr. Systems Administrator*
> > [hidden email]
> >
> > <http://library.nd.edu/>
> > _______________________________________________
> > Koha mailing list  http://koha-community.org
> > [hidden email]
> > https://lists.katipo.co.nz/mailman/listinfo/koha
> >
> _______________________________________________
> Koha mailing list  http://koha-community.org
> [hidden email]
> https://lists.katipo.co.nz/mailman/listinfo/koha
>
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth implementation

jcoehoorn
That is a good idea, but I think we can do even better. As a college
library, 99%+ of our patrons are institutional users. However, we also
allow public patrons with limited permissions. These users will not have
institutional accounts for use with Shibboleth. Instead, library staff sets
up these users with traditional accounts. Thus, I don't want to remove the
old username/password login; I just want to demote it, so the shibboleth
login is the natural and featured login people will see first.

But, again, the perfect is the enemy of the good. Get this existing pull
request merged first, and if there's more demand we can further evolve the
system to support the additional use case later.

Joel Coehoorn
Director of Information Technology
402.363.5603
*[hidden email] <[hidden email]>*

*Please contact [hidden email] <[hidden email]> for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society


On Mon, May 27, 2019 at 11:51 AM Renvoize, Martin <
[hidden email]> wrote:

> Thanks for updating the wiki, sorry to hear it was out of date.. it's been
> on my list to take a look at for a while and make sure it all still made
> sense.
>
> As an alternative to editing the templates and maintaining a local patch
> yourself indefinitely.. it would be great to see a signoff on bug 18506 -
> https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506.
>
> All the best,
>
>
>
>
> On Fri, 24 May 2019, 7:01 pm Coehoorn, Joel, <[hidden email]> wrote:
>
>> A note for the list: I managed to get this (mostly) working today, and
>> then
>> spent some time updating the wiki page
>> <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>,
>> including
>> the sample shibboleth2.xml file, to make it much easier to follow for AD
>> FS
>> folks.
>>
>> I will still need to update the login template, since I also no longer
>> ever
>> want my users to even see the username/password entry fields, but at least
>> the core SSO login piece works and it's an option if you happen to see the
>> "login with shibboleth" link.
>>
>> Joel Coehoorn
>> Director of Information Technology
>> 402.363.5603
>> *[hidden email] <[hidden email]>*
>>
>> *Please contact [hidden email] <[hidden email]> for technical
>> assistance.*
>>
>>
>> The mission of York College is to transform lives through
>> Christ-centered education and to equip students for lifelong service to
>> God, family, and society
>>
>>
>> On Thu, May 2, 2019 at 12:28 PM Tom Hanstra <[hidden email]> wrote:
>>
>> > I've been trying to work on switching our login authorization to
>> Shibboleth
>> > using the information in the Koha Community Wiki. But I've hit some
>> issues
>> > which I've not been able to fully understand. For my particular site,
>> the
>> > SSO provider is an OKTA instance.
>> >
>> > Anyone out there who has Koha working with this combination (Shibboleth
>> and
>> > OKTA)?  I could use some coaching through the various options.
>> >
>> > Thanks,
>> > Tom
>> >
>> > --
>> > *Tom Hanstra*
>> > *Sr. Systems Administrator*
>> > [hidden email]
>> >
>> > <http://library.nd.edu/>
>> > _______________________________________________
>> > Koha mailing list  http://koha-community.org
>> > [hidden email]
>> > https://lists.katipo.co.nz/mailman/listinfo/koha
>> >
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> [hidden email]
>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>
>
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha