Configure the Captive Portal to authenticate

users against an IdP SAML 2.0 using Shibboleth

This guide describes the configuration of the Captive Portal using a Shibboleth SAML 2.0 Identity

Provider belonging to an AAI (Authentication Authorization Infrastructure) single or Federated to

authenticate the users for network access.

Activate Shibboleth Authentication

From the form [Web Login Authentication Server] you can enable the Shibboleth authentication. In

addition, you can choose either the [On Demand] mode, in which the classic screen of the Captive

Portal appears for entering username and password and then the user has to press the [AAI] button to

be redirected to the WAYF/IdP URL or [Auto] mode with which the user is redirected directly to the

Identity Provider excluding the RADIUS/Kerberos 5 authentication of the Captive Portal. The field [SP

EntityID] represents the value for the entityID parameter with which the Captive Portal Service

Provider is registered in the metadata of the federation. Set this value before generating the metadata to

be sent to the manager of AAI Federation to which you want to register the Captive Portal.

Configuration of the Shibboleth module for Apache

From the panel shown below you can configure in more detail the Shibboleth module for Apache. In addition, from this panel, you can upgrade the software that

implements the Shibboleth Service Provider. The updates will be released in the form of a single packace which includes::

log4shib

opensaml 2

shibboleth-sp 2

xml-security-c

xmltooling

The updates will be available to the URL http://www.zeroshell.org/shibboleth where the procedure on how to build the updated packages from the source code is

available.

Shibboleth module configuration via Web File Editor

Given the high configurability of the Shibboleth SP module has been chosen to allow the managing of the configuration files manually using the web editor. However,

Zeroshell acts in part, pre-configuring some parameters.

Configuration Check

Before restarting Shibboleth, after a configuration change, you should always check the consistency of files located in /etc/shibboleth using the [Verify] button to highlight

the issues dividing them into warning, error, critical and fatal errors depending on the gravity.

Access permissions provided by the IdP environment variables

Generally, network access is not allowed simply if the user passes the authentication process, but must also be authorized by setting conditions on the environment

variables from the Sevice Provider based on the values of the attributes returned after the Identity Provider authentication is successful. One of the attributes often checked

to allow access is the attribute affiliation which indicates the membership of a user to a category of users.

Automatic or manual unlock of the URLs of the Identity Providers and WAYF

When setting up a Captive Portal as a Shibboleth Service Provider, you'll immediately notice the problem that the user must authenticate to be able to access the network

to an IdP that is usually located outdoors and is therefore blocked by the captive portal itself, thus generating a situation of deadlock. It is therefore desirable to have a

whitelist of IdP/WAYF part of the Federation. In the case of a single IdP it is immediate, while in the case of a Federation of AAI Identity Provider that dynamically

change this is onerous for the administrator of the Captive Portal. For this reason Zeroshell implements the auto-discovery of the URL of the Identity Providers and

WAYF. Note that Zeroshell not find those URLs using the Metadata of the Federation, since they may converge slowly to the real situation, but

interpreting the Service Provider redirections to the IdP/WAYF URLs. This promotes the formation of an automatic whitelist always instantly updated.

Captive Portal authentication page with Shibboleth configured

in On-Demand mode

The image below shows the captive portal login page when you Shibboleth authentication configure

On-Demand, that is also enabling RADIUS/Kerberos5 authentication on multi-domains. The structure

of this page can be customized by pressing the [Template] button, which leads directly to the HTML

code. As mentioned if you use the Mode [Auto], the WAYF/IdP authentication page appears directly.