HTTP header authentication reads an HTTP header in the request and checks if there is a user whose SSO-ID
matches the content of the header. If there is a user, he will be logged in. As HTTP headers can be set very easily, this authentication should only be used if Goobi workflow can only be accessed via an upstream web server (e.g. Apache2
or nginx
) and this server handles the actual authentication. To use this authentication, the following switches must be set in the goobi_config.properties
configuration file:
The functionality is switched on with EnableHeaderLogin
, the parameter SsoHeaderName
defines the name of the header to be read out. The configuration key showSSOLogoutPage
enables a redirect to a logout page, so the user is not logged in directly after logging out.
In addition, the login
endpoint must be activated in the API. To do this, a new entry is created in the goobi_rest.xml
:
An example setup with an Apache2
web server and CAS single sign
on could be performed as follows:
First Apache2
and the CAS module
must be installed.
The CAS module
assumes that some directories exist and that the Apache2
process has access to these directories:
Finally, the configuration for the Apache2
web server must be adjusted so that the module is loaded and the correct upstream header
is set:
This example setup uses mod_auth_melon
to implement authentication using SAML services and the Goobi workflow header login. Here we use the entityID https://mygoobi.tld/mygoobisp/
for our new service provider to be set up and assume that our server can be reached under the domain mygoobi.tld
. The Goobi to be secured can then be reached under the URL https://mygoobi.tld/goobi/
.
First of all, Apache2 and mod_auth_melon
should be installed:
Next, the service provider metadata should be generated along with the private key and certificate. There is a handy script for this in the mod auth mellon repository:
https://github.com/latchset/mod_auth_mellon/blob/master/mellon_create_metadata.sh
This script expects two parameters, the entityID of our service provider, and the URL under which the SAML endpoints of the service provider can be reached:
The command generates a private key, a certificate and the metadata for the service provider.
In the Apache2 configuration, the auth module must now be loaded and two Location
s must be created:
The first Location
is the global mellon
configuration where we configure the metadata for the identity provider and the service provider. The second Location
is the Goobi application to be protected. Here we configure the Authtype
to Mellon
and require a valid user. Goobi workflow then uses the ssoid header to identify users as described above.