Goobi viewer (English)
Documentation homeGoobi viewer Digests
  • Goobi viewer manual
  • Documentation overview
  • What is the Goobi viewer?
  • Configuration
    • 1. Goobi viewer Core
      • 1.1 Local settings
      • 1.2 Translations
      • 1.3 Folder configuration
      • 1.4 URL configuration
      • 1.5 User accounts
        • 1.5.1 Authentication Provider
        • 1.5.2 Sending e-mails
        • 1.5.3 Further settings
      • 1.6 Performance
      • 1.7 Access conditions and images
      • 1.8 Captcha
      • 1.9 PDF download
        • 1.9.1 Variants
        • 1.9.2 Download Links
        • 1.9.3 Individual PDF title page
      • 1.10 ePub download
      • 1.11 Image options
        • 1.11.1 Extended scrolling in the image view
        • 1.11.2 Navigation between structure types
        • 1.11.3 Image view configuration
        • 1.11.4 Maintaining zoom and rotation while browsing in the image view
        • 1.11.5 External images
        • 1.11.6 Restriction of image scaling
        • 1.11.7 Thumbnail settings
        • 1.11.8 Image Footer
      • 1.12 Individual page types
      • 1.13 Opening certain document types in alternative page views
      • 1.14 Full text hints
      • 1.15. Language settings
      • 1.16 Theme
        • 1.16.1 External themes
      • 1.17 Search
        • 1.17.1 Sorting
        • 1.17.2 Faceting
        • 1.17.3 Advanced search
        • 1.17.4 Timeline
        • 1.17.5 Calendar
        • 1.17.6 Save search
        • 1.17.7 Expand query for search sub-results
        • 1.17.8 Aggregated search hit display
        • 1.17.9 Versioning of records
        • 1.17.10 Exporting search results
        • 1.17.11 Search hit metadata
      • 1.18 Digital collections
        • 1.18.1 Collection hierarchy
        • 1.18.2 Sorting of records
        • 1.18.3 Sorting of collections
        • 1.18.4 Blacklist
        • 1.18.5 Collection size
        • 1.18.6 Further settings
        • 1.18.7 Structure element whitelist
      • 1.19 Metadata
        • 1.19.1 Main metadata
        • 1.19.2 Sidebar metadata
        • 1.19.3 Search hit metadata
        • 1.19.4 Archive metadata
        • 1.19.5 Image metadata
        • 1.19.6 Display of authority data
        • 1.19.7 Calendar structure elements
        • 1.19.8 Browsing
        • 1.19.9 Multilingual metadata
        • 1.19.10 Licenses
      • 1.20 Tables of contents
        • 1.20.1 Main table of contents
        • 1.20.2 Sidebar table of contents
        • 1.20.3 Download tables of content as PDF file
      • 1.21 Tag clouds
      • 1.22 Resolver
      • 1.23 Sidebar
      • 1.24 Navigation and display
      • 1.25 RSS feed
      • 1.26 Reading lists
      • 1.27 User comments
      • 1.28 CMS
      • 1.29 Transkribus
      • 1.30 Original content
      • 1.31 Piwik/Matomo
      • 1.32 Sitelinks
      • 1.33 API
        • 1.33.1 JSON
        • 1.33.2 IIIF
        • 1.33.3 Authentication
        • 1.33.4 CORS
      • 1.34 OpenSearch
      • 1.35 Embedding
      • 1.36 Maps
      • 1.37 Translations
      • 1.38 Archive
      • 1.39 Campaigns
      • 1.40 Add content
      • 1.41 Usage figures
      • 1.42 Config Editor
      • 1.43 Proxy
      • 1.44 ActiveMQ
      • 1.45 Developer
      • 1.46 External Ressources
    • 2. Goobi viewer Indexer
      • 2.1 Main configuration
      • 2.2 Directories
      • 2.3 Proxy
      • 2.4 Performance
      • 2.5 Structure types
      • 2.6 Metadata
      • 2.7 Starting and Exiting
      • 2.8 Indexing records
      • 2.9 Updating individual page documents
      • 2.10 Deleting records
      • 2.11 Solr scheme
      • 2.12 Further settings
    • 3. Goobi viewer Connector
      • 3.1 OAI interface
        • 3.1.1 Main Configuration
        • 3.1.2 Dublin Core
        • 3.1.3 Europeana
        • 3.1.4 METS
        • 3.1.5 LIDO
        • 3.1.6 MARCXML
        • 3.1.7 Xepicur
        • 3.1.8 Goobi viewer overview pages
        • 3.1.9 Goobi viewer crowdsourcing
        • 3.1.10 TEI
        • 3.1.11 CMDI
        • 3.1.12 Sets
      • 3.2 SRU interface
  • User interface
    • 1. Frontend
    • 2. Backend
      • 2.1 Dashboard
      • 2.2 Administration
        • 2.2.1 User
        • 2.2.2 Groups
        • 2.2.3 IP-Ranges
        • 2.2.4 Access licenses
        • 2.2.5 Rights
        • 2.2.6 Comments
        • 2.2.7 Terms of use
        • 2.2.8 New record
      • 2.3 Crowdsourcing
        • 2.3.1 Campaigns
        • 2.3.2 Annotations
      • 2.4 CMS
        • 2.4.1 Pages
        • 2.4.2 Categories
        • 2.4.3 Static pages
        • 2.4.4 Media
        • 5.4.5 Menus
        • 5.4.6 Collections
        • 5.4.7 Maps
  • Misc
    • 1. Use cases
      • 1.1 Series and convolutes
      • 1.2 Access restrictions
      • 1.3 Subthemes
      • 1.4 Authority data
      • 1.5 Multilingualism
      • 1.6 Maps
      • 1.7 Sub collections
      • 1.8 Multiple Goobi viewer
      • 1.9 Crowdsourcing module
      • 1.10 Archival documents
      • 1.11 Solr Queries
      • 1.12 Linking from METS file groups
      • 1.13 Add content
      • 1.14 Shibboleth
      • 1.15 Access restricted metadata
    • 2. FAQ
    • 3. Glossary
  • Devs & Ops
    • 1. Core Changelog
    • 2. Theme Changelog
    • 3. Installation guide
      • 3.1 Classical
      • 3.2 Docker
    • 4. Development environment
    • 5. API
    • 6. Explained!
Powered by GitBook
On this page
  • General
  • Configuration
  • shibd, Apache and Tomcat
  • Goobi viewer
  • Log in

Was this helpful?

  1. Misc
  2. 1. Use cases

1.14 Shibboleth

General

The implementation of authentication is basically similar in Goobi viewer and Goobi workflow. Nevertheless, there are the following differences:

In Goobi workflow the entire application is secured and in Goobi viewer, of course, only the pages that require a prior login.

In Goobi workflow, a user account must exist beforehand and then be assigned to the authentication type. Only then is the single sign-on functionality available. In Goobi viewer, an account is automatically created upon successful authentication if it does not already exist. This means that all functionalities are automatically available without further registration. Only for more extensive rights, such as access to the admin backend, must further settings be changed manually.

Configuration

shibd, Apache and Tomcat

The following sections refer to an Ubuntu Linux as also described in the installation instructions.

For the installation, it is sufficient to install the package libapache2-mod-shib2 on the server on which Apache is running. This will install all the necessary dependencies:

apt install libapache2-mod-shib2

Afterwards, the configuration of the shibd is necessary. Usually, the institutions that use Shibboleth already have ready-made configurations. Pay particular attention to the following files:

  • /etc/shibboleth/attribute-map.xml

  • /etc/shibboleth/attribute-policy.xml

  • /etc/shibboleth/shibboleth2.xml

  • /etc/shibboleth/sp-metadata.xml

In the shibboleth2.xml and the sp-metadata.xml, a meaningful entityID should be set, for example https://viewer.example.org/shibboleth. In shibboleth2.xml the attribute in the <ApplicationsDefaults />element is meant, and in sp-metadata.xml the attribute in the <md:EntityDescriptor /> tag.

In the attribute-map.xml, the attribute with the email address must be prefixed with AJP_. Only these attributes are then transferred from the AJP module to Tomcat. The attribute then has no prefix in the Tomcat. Here is an example of an entry in the attribute-map.xml:

<Attribute name="urn:oid:1.2.3456.77777777.888.9.0" id="AJP_shib-email" />

With Ubuntu Linux 18.04 and Tomcat 9.0.16 no further settings are necessary in the server.xml. From Ubuntu Linux 20.04 and Tomcat 9.0.31 it is necessary to explicitly name the attribute in the AJP Connector with the setting option allowedRequestAttributesPattern.

In the Apache web server, a special REST endpoint is then secured by the Goobi viewer via Shibboleth authentication:

<Location "/api/v1/auth/header">
    Require shibboleth
    AuthType shibboleth
    ShibRequestSetting requireSession 1
</Location>

Goobi viewer

<authenticationProviders>
    <provider type="httpHeader" 
              enabled="true" 
              name="Shibboleth" 
              parameterType="attribute" 
              parameterName="shib-email" 
              endpoint="https://viewer.example.org/api/v1/auth/header" />
</authenticationProviders>

The type attribute defines the desired authentication method. With the enabled switch, authentication can be switched on and off. The name specifies what should appear in the login dialogue in the button. The parameterType specifies whether an HTTP header or an attribute is to be evaluated. The name of the header or the attribute is configured in the parameterName. The absolute URL to the REST endpoint secured in Apache is specified as the endpoint.

Log in

To log in, click on the corresponding provider button in the login dialogue. In the following screenshot "Shibboleth". This points to the configured endpoint, where Apache and shibd take over the authentication and also return the result to the endpoint. The Goobi viewer takes over the information, logs the user in and redirects to the page on which the login was initiated.

Previous1.13 Add contentNext1.15 Access restricted metadata

Last updated 2 years ago

Was this helpful?

A corresponding must now be set up in the local config_viewer.xml. An example configuration is as follows:

authentication provider
Login dialogue with activated Shibboleth authentication