5.8 5.6

Skip to end of metadata
Go to start of metadata

Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources.

Here is the process of authentication:

  1. The user accesses a protected resource.
  2. The SP determines an IdP and issues the authentication request.
  3. The user authenticates to the IdP.
  4. The IdP issues a response to the SP.
  5. The SP decodes the message and extracts the attributes.
  6. The browser is redirected to the protected resource.

For details, see https://spaces.internet2.edu/display/SHIB2/FlowsAndConfig.

Authentication Plugin

The SHIB_AUTH plugin is implemented by the class org.nuxeo.ecm.platform.shibboleth.auth.ShibbolethAuthenticationPlugin. It authenticates the user based on HTTP headers received from the SP. It also creates (or updates) an entry in the userDirectory for this user.

In this section

As the Shibboleth attributes values are passed by HTTP headers, the service org.nuxeo.ecm.platform.shibboleth.service.ShibbolethAuthenticationService has been added to configure the mapping between the user metadata and the headers names.


Module Installation

The Easy Way

The Shibboleth authentication module could be installed through the Marketplace with the Shibboleth Authentication package.
See the Installing a New Package on Your Instance page.

The Manual Way

You can also download the built nuxeo-platform-login-shibboleth.jar, and deploy it into your Tomcat or JBoss instance, in the bundles directory.

If you did the installation by just deploying the nuxeo-platform-login-shibboleth.jar into your Nuxeo instance, you need to add a new configuration file to define the login and logout URLs, the mapping between the user metadata and the headers names.

Add a new file named shibboleth-config.xml in the config/ directory of your server.

  • $NUXEO/nxserver/config for a Tomcat distribution
  • $NUXEO/server/default/deploy/nuxeo.ear/config for a JBoss distribution

Overriding the Default Authentication Chain

To enable the Shibboleth authentication, you need to add the Shibboleth plugin to the authentication chain.

To override the default authentication chain in Nuxeo DM, add a new file named authentication-chain-config.xml in the config/ directory of your server.


If you already defined your own authentication chain in any of your config or contrib files, you just need to add the SHIB_AUTH plugin into your own chain.

Anonymous Authentication Compatibility

As it is not possible to write access rules based on resource URLs with Nuxeo, Shibboleth LazySession has to be enabled. By adding the ANONYMOUS_AUTH in the authentication chain, the Shibboleth login will only be asked when accessing a restricted resource.

For that, the org.nuxeo.ecm.platform.shibboleth.auth.exceptionhandling.ShibbolethSecurityExceptionHandler will redirect to the login URL when a NuxeoSecurityException is thrown while the current user is anonymous.

To activate it, add a new file named login-anonymous-config.xml in the config/ directory of your server.


Full Sample Configuration File

Here is a sample configuration file containing everything you need to set up the Shibboleth authentication module:

Source Code

The source code of the Shibboleth authentication module can be found as part of the nuxeo-platform-login addon on GitHub.

ShibbGroups Addon

ShibbGroups are virtual groups based on an EL expression with Shibboleth attributes. A new user management tab is added to create and edit them. The definitions are stored in the shibbGroup directory.

The class org.nuxeo.ecm.platform.shibboleth.computedgroups.ShibbolethGroupComputer computes at login time the ShibbGroups that the current user is member of.

The source code of this addon can be found on GitHub.