NIHVIVO-1329 document how to setup Shibboleth.

2010-12-14 21:58:02 +00:00 · 2010-12-14 21:58:02 +00:00 · 42191b21b1
commit 42191b21b1
parent 53ca30a08d
2 changed files with 107 additions and 2 deletions
--- a/doc/install.txt
+++ b/doc/install.txt
@ -33,7 +33,8 @@ are slightly different. Please consult developers.txt in this directory.
    * IX. Set the Contact Email Address (if using "Contact Us" form)
    * X. Setup Apache Tomcat Connector
    * XI. Configure Pellet Reasoner
-    * XII. Was the installation successful?
+    * XII. Using an External Authentication System with VIVO
+    * XIII. Was the installation successful?

 -------------------------------------------------------------------------------
 
@ -156,6 +157,17 @@ example value:  password
 property name:  initialAdminUser 	
 example value:  defaultAdmin

+                The name of a property that can be used to associate an Individual
+                with a user account. When a user logs in with a name that matches
+                the value of this property, the user will be authorized to edit
+                that Individual.
+property name:  selfEditing.idMatchingProperty 	
+example value:  http://vivo.mydomain.edu/ns#networkId
+
+NOTE: If you want to use an external authentication system like Shibboleth or
+CUWebAuth, you will need to set two additional properties in this file. See 
+the section below entitled "Using an External Authentication System with VIVO".
+
 -------------------------------------------------------------------------------
 
 V. Compile and deploy
@ -334,7 +346,83 @@ property entailments are not needed.

 -------------------------------------------------------------------------------

-XII. Was the installation successful?
+XII. Using an External Authentication System with VIVO
+
+VIVO can be configured to work with an external authentication system like 
+Shibboleth or CUWebAuth.
+
+VIVO must be accessible only through an Apache HTTP server. The Apache server 
+will be configured to invoke the external authentication system. When the user 
+completes the authentication, the Apache server will pass a network ID to VIVO, 
+to identify the user.
+
+If VIVO has an account for that user, the user will be logged in with the 
+privileges of that account. In the absence of an account, VIVO will try to find 
+a page associated with the user. If such a page is found, the user can log in 
+to edit his own profile information.
+
+---- Configuring the Apache server:
+
+Your institution will provide you with instructions for setting up the external 
+authentication system. The Apache server must be configured to secure a page in 
+VIVO. When a user reaches this secured page, the Apache server will invoke the 
+external authentication system.
+
+For VIVO, this secured page is named:
+    /loginExternalAuthReturn 
+When your instructions call for the location of the secured page, this is the 
+value you should use.
+
+---- Configuring VIVO:
+
+To enable external authentication, VIVO requires three values in the 
+deploy.properties file.
+
+* The name of the HTTP header that will hold the external user’s network ID
+
+    When a user completes the authentication process, the Apache server will 
+    put the user’s network ID into one of the headers of the HTTP request. 
+    The instructions from your institution should tell you which header is 
+    used for this purpose. 
+
+    You need to tell VIVO the name of that HTTP header. Insert a line like 
+    this in the deploy.properties file:
+          externalAuth.netIdHeaderName = [the header name]
+    For example:
+          externalAuth.netIdHeaderName = remote_userID 
+
+* The text for the Login button
+
+    To start the authentication process, the user will click on a button in 
+    the VIVO login form. You need to tell VIVO what text should appear in that 
+    button.
+
+    Put a line like this in the deploy.properties file:
+          externalAuth.buttonText = [the text for your login button]
+    For example:
+          externalAuth.buttonText = Log in using BearCat Shibboleth
+          
+    The VIVO login form will display a button labelled “Log in using BearCat 
+    Shibboleth”.
+    
+* Associating a User with a profile page
+
+    If VIVO has an account for the user, the user will be given the privileges 
+    assigned to that account.
+     
+    In addition, VIVO will try to associate the user with a profile page, so 
+    the user may edit his own profile data. VIVO will search the data model 
+    for a person with a property that matches the User’s network ID.
+    
+    You need to tell VIVO what property should be used for matching. Insert 
+    a line like this in the deploy.properties file:
+          selfEditing.idMatchingProperty = [the URI of the property]
+    For example:
+          selfEditing.idMatchingProperty = http://vivo.mydomain.edu/ns#networkId
+
+-------------------------------------------------------------------------------
+
+XIII. Was the installation successful?

 If you have completed the previous steps, you have good indications that the 
 installation was successful. 
--- a/example.deploy.properties
+++ b/example.deploy.properties
@ -78,3 +78,20 @@ VitroConnection.DataSource.pool.maxActive = 320
 # change the password the first time you login.
 #
 initialAdminUser = defaultAdmin
+
+#
+# How is a logged-in user associated with a particular Individual? One way is 
+# for the Individual to have a property whose value is the username of the user.
+# This is the name of that property.
+#
+selfEditing.idMatchingProperty = http://vivo.mydomain.edu/ns#networkId
+
+#
+# If an external authentication system like Shibboleth or CUWebAuth is to be
+# used, these properties say how the login button should be labeled, and which
+# HTTP header will contain the user ID from the authentication system. If such
+# as system is not to be used, leave these commented out. Consult the 
+# installation instructions for more details. 
+#
+#externalAuth.buttonText = Log in using BearCat Shibboleth
+#externalAuth.netIdHeaderName = remote_userID