Hello,
We are trying to get Opencast and Tobira working with Shibboleth.
Unfortunately, we are facing a few issues, and there does not seem to be a lot of documentation around, especially on the topic of nginx and Shibboleth configuration. My hope is that there might be someone here who has a working environment and who is willing to share some information on their configuration and application distribution.
To limit the scope of this thread, the question is focussed on the Tobira part, but some points might touch the Opencast parts, which we have not set up yet (Tobira is higher priority, as it is facing a larger user group than Opencast's admin and engage UIs).
Our setup:
* A public web server (nginx) acts as proxy for the applications in the backend, and on each application server there is another nginx setup as a local proxy.
opencast.example.org -> public proxy ->
tobira.opencast.internal.example.org -> local proxy -> Tobira
admin.opencast.example.org -> public proxy ->
admin.opencast.internal.example.org -> local proxy -> Opencast Admin Node
video.opencast.example.org -> public proxy ->
engage.opencast.internal.example.org -> local proxy -> Opencast Engage Node
* Only the public proxy host is publicly available, the application servers are all on internal networks and not reachable from the outside.
* A Shibboleth service provider is registered with the AAI and generally working (tested with a static sample resource before trying the integration with Tobira).
The goal:
* One service provider for the whole environment. (The daemon can be installed on several servers, I just don't want to have to register several SPs for what is essentially one service.)
* Tobira can be called without login. When a user clicks the login button, the Shibboleth handler should start its process (IdP discovery, redirect to login host, redirect back to application after success).
* Opencast can be called without login. If and when a resource needs user information, the Shibboleth handler should start its process, allowing Opencast to check if user is allowed to access the resource.
I managed to get Shibboleth login to work with Tobira (thanks to some help from Lukas Kalbertodt) by setting it up on the public proxy for the main domain (
opencast.example.org). However, there are several problems with this setup:
* Tobira can only be called after having a Shibboleth session, i.e. people have to login before being able to reach the front page. This is not the desired outcome, as the front page (and public video pages) should be reachable without having to login. As an aside, Opencast cannot talk to Tobira, as it is redirected to the Shibboleth login process when trying to get `/.well-known/jwks.json` from the Tobira host. As there is no list or pattern of resources that need authentication (or no authentication), this makes it hard to setup a workable nginx configuration.
* Since Shibboleth is located on the public proxy and configured for the Tobira domain, I have to figure out how to include further configuration to allow Opencast to use the same installation under a different domain address. This might be possible with application overrides?
* Tobira's documentation describes a scenario where Shibboleth would be installed only on the Tobira host, letting Tobira decide when to call the authorizer, but I cannot find any information on how this would actually work, and the documentation is very vague on this point.
* Installing Shibboleth directly on the Tobira host and just handing all requests via the public proxy down to the internal proxy does not work: The handler endpoints are reachable, but when the handler sends me to our EDS page, it puts the internal proxy's hostname in the redirect parameter, which is a) not on the allow list, and b) not the right return target for after the IdP login.
Long story short:
I am looking for a more detailed information on how to setup the environment to work with Shibboleth for authentication. If someone has a link to helpful documentation or is willing to share their configuration, it would help me a lot.
Thanks in advance, and best regards,
Maxime