MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #7887 from thijskh/patch-1 

Clarify some aspects of the Shibboleth config
pull/7905/head
Alexandre Dulaunoy 2021-10-29 15:14:27 +02:00 committed by GitHub
parent 7c77d1d6fc a0cf77bdc9
commit 9bc44f592c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
app/Plugin/ShibbAuth/README.md
View File

@ -69,6 +69,32 @@ Edit your MISP apache configuration by adding the below (location depends on you
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location />
AuthType shibboleth
Require shibboleth
# Optional: always directly redirect to the IdP upon access without
# an active session. If not enabled, a "Login with SAML" button
# will be shown on the login screen to start the login process..
# ShibRequestSetting requiresession On
</Location>
```
The above will always redirect to your IdP if MISP is accessed without
an active session. An alternative is not to require Shibboleth before
the application can be accessed but show the login screen if no
Shibboleth session is present. This will then have a
"Login with SAML" button to trigger the login.
You may need to tell the rewriterules for MISP in its `.htaccess` file not to apply to Shibboleth, so add a line to exclude this from processing:
```Apache
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/Shibboleth\.sso
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?/$1 [QSA,L]
```
Enable the plugin at bootstrap.php:
@ -98,7 +124,7 @@ If the line does not exist, add it to 'Security' array, for example like below.
)
```
And configure it. MailTag, OrgTag and GroupTag are the keys for the values needed by the plugin.
And configure it. MailTag, OrgTag and GroupTag are the keys for the values (Shibboleth environment variable names) needed by the plugin.
For example if you are using ADFS you should replace IDP_FEDERATION_TAG by ADFS_FEDERATION, IDP_GROUP_TAG by ADFS_GROUP, etc.
Replace MISP_DEFAULT_ORG by the organization you want users to be assigned to in case no organization value is given by the identity provider.
The GroupRoleMatching is an array that allows the definition and correlation between groups and roles in MISP. These get updated
@ -121,6 +147,7 @@ in the list given by apache. By default, you can leave it at ';'.
'DefaultOrg' => 'MISP_DEFAULT_ORG',
),
```
If used with Apache as webserver it might be useful to make a distinction to filter out API/Syncs from SSO login. It can be added to the vhost as follows (Added lines are the If/Else clauses):
```Apache
@ -135,8 +162,6 @@ If used with Apache as webserver it might be useful to make a distinction to fil
Require valid-user
AuthType shibboleth
ShibRequestSetting requiresession On
ShibRequestSetting shibexportassertion Off
ShibUseHeaders On
</Else>
</Directory>
```