Single Sign On with Shibboleth
The following prerequisits have to be fullfilled:
- Apache HTTP daemon (as a proxy for openBIS AS and DSS) is installed.
- Shibboleth daemon is installed.
- Shibboleth module for Apache is installed.
- openBIS is registered at the federation of services (like SWITCHaai)
For 1.-3. see Shibboleth Service Provider (SP) Installation Guide
After installation of Apache and Shibboleth they have to be configured as described in Shibboleth Service Provider (SP) Configuration Guide.
An important step during the configuration process is the registration at the federation (see https://www.switch.ch/aai/guides/sp/configuration/#7. In this step the URL of the application and the required attributes of the user to be signed on have to be specified:
- URL of the application should be something like
<host>is the name of the host machine. Instead of
openbis-ssoanother name can be chosen if it is not
The required attributes are used by openBIS to register the user in the openBIS database. The following attributes are needed by openBIS:
- an attribute which is uniquely identifies the user. This can be an ID like SWITCH edu-ID (e.g. firstname.lastname@example.org). But this has the disadvantage that the user wouldn't be easily recognisable in openBIS. A more approbriate ID is the e-mail address.
- first name or given name
- last name or surname
- e-mail address
By default openBIS is configured to run without a proxy as an HTTPS server. Behind the proxy openBIS AS and DSS have to be configured to run as HTTP servers:
Change the following in
In order to test this configuration you should see the following line in AS log (
bin/bislog.sh) after successful startup of AS and DSS (
Next, SSO has to be enabled for ELN/LIMS by adding something like the following to
Note, that the application name should be the same as specified during registration at the federation.
In order to forward requests by the Apache proxy to openBIS the following
openbis.conf file has to be added to the Apache config files folder (most likely
openbis-sso is the name of the application as registered at the federation.
You have to restart Apache with
sudo systemctl restart httpd.
The Shibboleth daemon configuration
shibboleth2.xml (most likely found in
/etc/shibboleth) is almost configured for SWITCHaai when following the instructions in Shibboleth Service Provider (SP) Configuration Guide. But some adaptations are needed:
timeoutattribute of the
<Sessions>element has to be set to a value equals or larger then the openBIS timeout as specified in
servers/openBIS-server/jetty/etc/service.propertiesby the property
- The following
<Notify>element has to be added at the end of the
<Notify Channel="front" Location="https://<host>/openbis-sso"/>where
<host>is the hostname and
openbis-ssois the application name as registered at the federation.
You have to restart Shibboleth with
sudo systemctl restart shibd.service.