Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy...
Transcript of Federation: Shibboleth Protecting EZProxy and Apache ... Wearen - HEAnet... · Ezproxy • EZproxy...
Federation: Shibboleth Protecting EZProxy and Apache Reverse Proxy
Glenn Wearen Middleware Specialist, HEAnet
Sponsored by BT
Ezproxy
• EZproxy used primarily by libraries – Publishers restrict access by IP – Off campus users use the proxy so that correct IP is
presented – Authentication to EZproxy by LDAP or Shibboleth – Some libraries link to publishers via ezproxy
regardless of location E.g. Links in the library catalogue are hardcoded to
ezproxy www.publisher.com.ezproxy.mit.ie
Ezproxy
EZproxy
• EZproxy could be used for non-library uses
EZproxy
• EZproxy works with Shibboleth – Typically EZProxy will be an SP that bilaterally
trusts a single IdP
EZproxy
EZproxy
• EZproxy works with Shibboleth – Seamlessly works with a federation Multiple IDP’s can be connected to EZProxy
EZproxy
Apache Reverse Proxy
• Configured Apache in front of a web server to proxy content from the back-end
• Can perform authentication using – BASIC AUTH (proxying credentials) – REMOTE_USER (proxying user idenfifier)
• Useful to federate appliances where – No opportunity to add SAML plugin to appliance
Apache Reverse Proxy
Front-end config
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /app>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User "%{RU}e" env=RU
ProxyPass http://vmworkshop12.heanet.ie/
ProxyPassReverse http://vmworkshop12.heanet.ie/
</Location>
</IfModule>
Back-end config
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthName test
AuthType Basic
Require user [email protected]
</Directory>