Goobi workflow
Documentation homeGoobi workflow PluginsGoobi workflow Digests
English
English
  • Overview
    • Goobi workflow Handbook
    • Overview of documentation
    • What is Goobi?
  • Users
    • Goobi for Users
    • The basics
      • Logging in
      • Menu
      • Logging out
      • Switch between available languages
      • Help function
      • Personal settings
      • Changing your password
      • My tasks
      • Processes
      • How to find a process
      • How to create a new process
      • Edit task details
    • How different user groups work with Goobi
      • Scanning
      • Quality control
      • Manual script steps and plugin steps
      • Automatic script-run steps
      • Metadata processing
      • Export to the DMS
    • Metadata Editor
      • User interface
        • Structure tree
        • Page display
        • Menu options
      • Metadata indexing
        • Pagination
        • Structuring
          • Create new structure element
          • Moving structure elements
          • Copying structure elements from other processes
      • Modifying and verifying data
        • Subsequent changes to pagination
        • Uploading files
        • Downloading files
        • Server-based exports
        • Server-based imports
      • Edit OCR results
      • Overview of the keyboard combinations
  • Management
    • Goobi Management
    • Structure of the extended user interface
    • Rulesets
    • LDAP groups
    • Users
    • User groups
    • Processes
      • Searching processes
      • Activity
      • Activities for hit lists
      • GoobiScript
    • Variables
    • Harvester
  • Administration
    • Goobi Administration
    • File system
      • Global directory structure
        • ‘config’ sub-directory
        • ‘import’ sub-directory
        • ‘metadata’ sub-directory
        • ‘plugins’ sub-directory
        • ‘rulesets’ sub-directory
        • ‘scripts’ sub-directory
        • ‘xslt’ sub-directory
      • Directory structure of the application
      • Integrating external storage
      • Integration of S3 as storage
    • Services
      • MySQL database
      • Apache Tomcat servlet container
      • User authentication using LDAP
      • File system access using Samba
    • Exporting to digital libraries
      • Technical data
      • Mets parameters
      • Mets file groups
      • Export configuration in the Goobi configuration file
    • Working with the intranda Task Manager
    • Automatic workflow steps
      • Example combination for an automatic script task
      • Migration of technical data to METS files
      • Automatic image deletion
    • Configuration files
      • goobi_activemq.xml
      • goobi_config.properties
      • goobi_digitalCollections.xml
      • goobi_exportXml.xml
      • goobi_mail.xml
      • goobi_metadataDisplayRules.xml
      • goobi_normdata.xml
      • goobi_opac.xml
      • goobi_opacUmlaut.txt
      • goobi_processProperties.xml
      • goobi_projects.xml
      • goobi_rest.xml
      • goobi_webapi.xml
      • messages_xx.properties
      • config_contentServer.xml
    • Installation guide
      • Installation guide - Ubuntu 20.04
    • Update guide
      • Preparation of an update
      • Update steps
        • 2020
        • 2021
        • 2022
        • 2023
        • 2024
        • 2025
    • Authentication options
      • Authentication via the database
      • Authentication via HTTP header
      • Authentication via OpenID Connect
    • Use cases
      • Create thumbnails for accelerated image display
      • Handling of 3D Objects
      • Export of 3D-Objects into the Goobi viewer
  • Developer
    • Setting up a development environment
      • Preparatory work
      • Setting up Eclipse
      • Resetting the data
      • Best practice for developing Goobi and working with Eclipse
    • Using the REST API
    • Snippets for the development on Goobi workflow
      • HTML
      • JavaScript
Bereitgestellt von GitBook
Auf dieser Seite
  • Example configuration for CAS using Apache2
  • Example configuration for SAML using Apache2 and mod_auth_melon
Als PDF exportieren
  1. Administration
  2. Authentication options

Authentication via HTTP header

HTTP header authentication reads an HTTP header in the request and checks if there is a user whose SSO-ID matches the content of the header. If there is a user, he will be logged in. As HTTP headers can be set very easily, this authentication should only be used if Goobi workflow can only be accessed via an upstream web server (e.g. Apache2 or nginx) and this server handles the actual authentication. To use this authentication, the following switches must be set in the goobi_config.properties configuration file:

EnableHeaderLogin=true
SsoHeaderName=casauthn
showSSOLogoutPage=true

The functionality is switched on with EnableHeaderLogin, the parameter SsoHeaderName defines the name of the header to be read out. The configuration key showSSOLogoutPage enables a redirect to a logout page, so the user is not logged in directly after logging out.

In addition, the login endpoint must be activated in the API. To do this, a new entry is created in the goobi_rest.xml:

goobi_rest.xml
<endpoint path="/login/header">
    <method name="get">
        <allow />
    </method>
</endpoint>

Example configuration for CAS using Apache2

An example setup with an Apache2 web server and CAS single sign on could be performed as follows:

First Apache2 and the CAS module must be installed.

apt install apache2 libapache2-mod-auth-cas libcurl4 libpcre3

The CAS module assumes that some directories exist and that the Apache2 process has access to these directories:

mkdir -p /var/cache/httpd/mod_auth_cas/ && chown daemon /var/cache/httpd/mod_auth_cas/

Finally, the configuration for the Apache2 web server must be adjusted so that the module is loaded and the correct upstream header is set:

# load the CAS module
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so

<IfModule unixd_module>
# configure CAS
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://your.cas.service.tld/cas/login
CASValidateURL https://your.cas.service.tld/cas/serviceValidate
</IfModule>

# ProxyPass to Goobi...
ProxyPass "/goobi/" "http://localhost:8080/goobi/"
ProxyPassReverse "/" "http://localhost:8080/goobi/"

# ...and protect the location with CAS
<Location /goobi/>
  Authtype CAS 
  # this is the name of the header you need to set in the Goobi configuration
  CASAuthNHeader casauthn
  require valid-user
</Location>

Example configuration for SAML using Apache2 and mod_auth_melon

This example setup uses mod_auth_melon to implement authentication using SAML services and the Goobi workflow header login. Here we use the entityID https://mygoobi.tld/mygoobisp/ for our new service provider to be set up and assume that our server can be reached under the domain mygoobi.tld. The Goobi to be secured can then be reached under the URL https://mygoobi.tld/goobi/.

First of all, Apache2 and mod_auth_melon should be installed:

apt install apache2 libapache2-mod-auth-mellon

Next, the service provider metadata should be generated along with the private key and certificate. There is a handy script for this in the mod auth mellon repository:

This script expects two parameters, the entityID of our service provider, and the URL under which the SAML endpoints of the service provider can be reached:

./mellon_create_metadata.sh "https://mygoobi.tld/mygoobisp/" "https://mygoobi.tld/mellon"

The command generates a private key, a certificate and the metadata for the service provider.

In the Apache2 configuration, the auth module must now be loaded and two Locations must be created:

LoadModule auth_mellon_module /usr/lib/apache2/modules/mod_auth_mellon.so


# ProxyPass to Goobi...
ProxyPass "/goobi/" "http://localhost:8080/goobi/"
ProxyPassReverse "/" "http://localhost:8080/goobi/"

<Location />
    MellonEnable "info"
    MellonEndpointPath "/mellon/"
    
    # This needs to be configured in the Goobi workflow configuration as 
    # SsoHeaderName=ssoid
    MellonSetEnvNoPrefix "ssoid" "mail"

    # needs to be obtained from the identity provider
    MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
    
    # the next three files were created my the 
    # mellon_create_metadata.sh script mentioned above
    MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
    MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
    MellonSPCertFile /etc/apache2/mellon/sp.cert
</Location>

<Location /goobi/>
    Authtype "Mellon"
    Require valid-user
    MellonEnable "auth"
</Location>

The first Location is the global mellon configuration where we configure the metadata for the identity provider and the service provider. The second Location is the Goobi application to be protected. Here we configure the Authtype to Mellon and require a valid user. Goobi workflow then uses the ssoid header to identify users as described above.

VorherigeAuthentication via the databaseNächsteAuthentication via OpenID Connect

Zuletzt aktualisiert vor 5 Monaten

https://github.com/latchset/mod_auth_mellon/blob/master/mellon_create_metadata.sh