Skip to topic | Skip to bottom
Home
Federation
Hello TWikiGuest

Create personal sidebar
Federation.IPAuthenticationr1.2 - 18 Dec 2007 - 23:46 - BrucLiongtopic end
Start of topic | Skip to actions

How to use IP-based Protection

There are times when IP-based is the only acceptable authentication mechanism used in the IdP (i.e. library machines).

1. enable mod_auth_location on your apache

  • download and compile it 
    wget http://federation.org.au/software/mod_auth_location-1.1.tar.gz
tar xvfz mod_auth_location-1.1.tar.gz
cd mod_auth_location-1.1
./configure --with-apxs=/usr/bin/apxs2
make
make install
  • create a file /etc/apache2/mods-available/mod_location.load 
    LoadModule auth_location_module modules/mod_auth_location.so
  • enable this module on apache 
    a2enmod mod_location

or simply make a symlink to mods-enabled:
ln -s /etc/apache2/mods-available/mod_location.conf /etc/apache2/mods-enabled/.
2. edit your 443 vhost: 
<Location /shibboleth-idp/SSO>
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative OFF
    AuthName "Shibboleth IdP Authentication"
    AuthLDAPBindDN uid=binduser,ou=demo,dc=mams,dc=org,dc=au
    AuthLDAPBindPassword "test"
    AuthLDAPURL "ldap://localhost:389/ou=demo,dc=mams,dc=org,dc=au?uid?sub?(objectClass=*)"
    require valid-user
    
    AuthLocationDefineLocation melcoe 137.111.246.*
    AuthLocationDefineLocation library 137.111.235.20-35
    AuthLocationDefineApplication journal providerId=urn:mace:federation.org.au:testfed:bookstore.org.au QS
    AuthLocationDefineApplication intranet providerId=urn:mace:federation.org.au:testfed:mams.org.au QS
    AuthLocationRequireAnonymous journal library libuser
    AUthLocationRequireAnonymous intranet melcoe binduser
</Location>

The above specifies that there are 2 IP ranges location being protected (i.e. melcoe and library). There are 2 applications loaded (journal and intranet). journal application is running on bookstore SP whereas intranet application running on mams.org.au SP. If the user tries to access a wrong SP, this IP-based authentication will fail. When the user tries to access the correct SP and coming from the correct ranges of IP addresses, the protection block above will map journal-access from library to a user called libuser (which should be a valid user), whereas he is being mapped to binduser if he's coming from melcoe and trying to access intranet application.

Assume a user goes to one of library kiosks (with ip range of 137.111.235.20-35) and start browsing to http://www.bookstore.org.au (its entityId is urn:mace:federation.org.au:testfed:bookstore.org.au), he won't be asked to be authenticated anymore as the IdP has mapped him to libuser automatically and has released all attributes of libuser (according to ARP)


to top
End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.2 | > | r1.1 | Total page history | Backlinks
You are here: Federation > FrequentlyAskedQuestions > IPAuthentication

to top

Copyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback