LP#
1871211: Shibboleth integration support
This commit adds Shibboleth integration to Evergreen for use in the
OPAC. Using Shibboleth, libraries can authenticate patrons against a
wide variety of 3rd party services, using many different protocols and
standards.
Several settings control if, when and how to make use of the Shibboleth
integration:
* Enable Shibboleth SSO for the OPAC
- The main on/off switch.
* Allow both Shibboleth and native OPAC authentication
- By default only one or the other will be allowed. This enables both
native and Shibboleth login.
* Log out of the Shibboleth IdP
- If supported by the IdP configured for use on the other side of
Shibboleth, this tells Evergreen to tell Shibboleth to log out of
the IdP on Evergreen logout.
* Shibboleth SSO Entity ID
- If multiple IdPs are configured for Shibboleth, and available to a
particular hostname, this setting defines the one to use for a
given context org unit.
* Evergreen SSO matchpoint
- The Evergreen-side user field to use when looking up the patron
after successful SSO login.
* Shibboleth SSO matchpoint
- The Shibboleth-side field, defined in the attribute map, that
contains the IdP user identifier value used to look up the Evergreen
patron.
Two apache sesttings control how Evergreen interacts with Shibboeth:
* SetEnv sso_loc XXX, which acts in a way analogous to the physical_loc
environment variable to define the context OU for SSO settings.
* ShibRequestSetting applicationId XXX, which helps Shibboleth identify
the correct set of entity ID and attribute mapping configuration.
Additional Shibboleth-focused documentation and examples will be
provided for system administrators.
Signed-off-by: Mike Rylander <mrylander@gmail.com>
projects / working / Evergreen.git / commit