Shibboleth on Apache 2.4 Using Mixed Authentication Methods

by Jonathan Lent

Like many developers, application maintainers, and system administrators at Stanford, I’ve been focussing a lot of time lately on migrating legacy web applications to using Shibboleth (from WebAuth). Also like many, I’ve found Alex Tayts’ article Migrating away from WebAuth: practical steps very useful during this process. However, as straight-forward as that writeup is, it doesn’t account for one thing: the Shibboleth SP software is not perfect.

During a recent deployment, I found that by simply enabling the shib2 Apache module on systems with Apache 2.4 running, applications using multiple AuthTypes (e.g. WebAuth and basic authentication) were suddenly presenting a 401 (Unauthorized) error message. This was before adding any directives to use Shibboleth as the AuthType.

Continue reading “Shibboleth on Apache 2.4 Using Mixed Authentication Methods”

Migrating away from WebAuth, practical steps

Stanford University is in the process of migrating from its homegrown authentication system, WebAuth, to the widely deployed and feature-rich SAML-based authentication. This brings a lot of benefits, like better compatibility, wider application support and easy federation with other institutions.

There are multiple SAML (Security Assertion Markup Language) implementations, but this article is focuses on two of them, Shibboleth and SimpleSAMLphp.

Shibboleth is well-documented and there are Stanford UIT documentation pages with high level descriptions of how it fits into the Stanford infrastructure. In this article I will talk about the practical steps one has to take to migrate from WebAuth to Shibboleth or SimpleSAMLphp, how to set them up and what adjustments have to be made to the configuration files on the SP (Service Provider) side.

Parts of the article are a rehash of the official UIT Shibboleth documentation with some corrections and explanations of the steps pertinent to the topic of migration from WebAuth. The content is based on our client’s questions and the issues we encountered while performing these migrations for our clients. Continue reading “Migrating away from WebAuth, practical steps”