Integration of Shibboleth-Login in Kalamar #223
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It should be possible to login via Shibboleth on certain KorAP instances.
Kalamar-Shibboleth-Workflow:
User clicks on the Shibboleth-Login-Button and is is redirected to either his/her home IdP or a WAYF (Where Are You From) to authenticate via Shibboleth. Can be realized as link.
Apache sends SAML attributes as HTTP headers back as the response.
Be aware, that there is no guarantee that we get all attributes that are asked. There should be at least PairwiseID, but maybe for example no givenName / surName. So we must take care that variables like user_handle are always optional in Kalamar.
Kalamar sends a token request similar to password grant without username and password, including the HTTP headers (e.g. PairwiseID) from Apache and saves them if necessary.
Example:
Request to korap.ids-mannheim.de/shibboleth -> Apache redirects to IdP -> if authentication is successful the SAML attributes in HTTP Headers will be redirected to korap.ids-mannheim.de/shibboleth -> Kalmamar saves SAML attributes if necessary and sends them to Kustvakt.
See also:
The text was updated successfully, but these errors were encountered: