Installing DAR and ASM

DAR and ASM are two modules to enable simultaneous multiple authentication methods for Muradora without any need to change the underlying authentication code of Fedora. Currently we support Shibboleth authentication methods (note: Shibboleth itself can also support many different authentication techniques).

ASM stands for Authentication State Manager and it can support different authentication techniques such as LDAP or Shibboleth. After authentication, it retrieves the current user session attributes (username, roles/groups, emails etc...) and populates those in a local LDAP attribute store that is used exclusively by Fedora. It also returns the current user credentials back to the DAR. The important point to note is that regardless of the authentication method, the ASM uses a common LDAP to store the current user session information. Fedora is configured to authenticate against this LDAP (hence no need to change Fedora authentication code). Thus this LDAP (or at least a special branch within an LDAP) should be reserved exclusively for use by the ASM and Fedora.

DAR stands for Delegated Attribute Retriever and it is integrated with Muradora as a filter. The DAR redirects user's login request to the ASM and gets the user's credentials back from the ASM. Muradora uses this credentials when communicating with Fedora via the SOAP and REST interfaces.

Prerequisites

• Muradora GUI application.
• An LDAP server used exclusively by the ASM (to write to) and Fedora (to authenticate against)
• A Tomcat 5.x.x server.
• An Apache server
• Shibboleth IdP and SP 1.3
• Sun JDK 1.5.x
• Apache Ant 1.5.1 or later
• DAR and ASM Download

Instructions

• DAR build and deployment. DAR has been built as a JAR package and is supplied with Muradora. If you use the default one, you don't need to do anything. If you want to build it from the source code, please download the DAR distribution from the RAMP web site. Go to the directory dar-asm/dar/ and run ant. You will get an dar.jar package and copy it over to your Muradora library.

• DAR configuration. Modify the dar_config.xml file that is located under $TOMCAT_HOME/webapps/muradora/WEB-INF/classes (or Muradora/src/ before build)directory to have the correct hostname for the different ASM endpoints.

  	<SHIB_LOGIN>
  		<TARGET>https://yourserver:port/asm</TARGET>
  		<PROCESSOR>melcoe.dar.processor.FedoraClientProcessor</PROCESSOR>
  	</SHIB_LOGIN>
  	
  

• Enable DAR by adding the following line to web.xml inside $TOMCAT_HOME/webapps/muradora/WEB-INF/

  	<filter>
  		<filter-name>DARShibLoginFilter</filter-name>
  		<filter-class>melcoe.dar.DARFilter</filter-class>
  	</filter>
  	<filter-mapping>
  		<filter-name>DARShibLoginFilter</filter-name>
  		<url-pattern>/darShibLogin.jsp</url-pattern>
  	</filter-mapping>
  
  

• ASM configuration. Download ASM distribution from RAMP web site. Go to the directory dar-asm/asm/config/ and modify shibloginldap.properties.
  1. The LDAP-* properties are the Ldap where the Shibboleth attributes will be written to, ie. the local LDAP store used exclusively be Fedora.
  2. SHIB-* properties' values except for SHIB-USER and SHIB-PASSWORD are obtained from IdP attributes. You might need to modify the value based on the actual mapping. Some of the properties will be written into the Ldap server for fedora authentication. Some of them will be returned to client like Muradora for website personalizing, but the two attributes used by the XACML policies are SHIB_USER and SHIB_ROLES.
  3. SHIB_USER and SHIB_PASSWORD values are normally fixed, you shouldn't change it without looking inside the ASM code.

• Shibboleth configuration. It is assumed that an Apache server with the appropriate Shibboleth infrastructure has been set up properly. Place the following block into apache configuration file.

          <Location /asm/shibLogin.action>
                 AuthType shibboleth
                 ShibRequireSession On
                 require valid-user
          </Location>
  

• ASM build and deployment. Go to the directory dar-asm/asm/ and run ant. You will get an asm.war package and copy it over to your tomcat server.

• You also need to change the default Fedora LDAP Filter to cache success login to less than a minute. This is because the ASM generates a new random password each time the user successfully log on and store this password in the local LDAP that Fedora authenticates against. Hence if the user's re-login time is less than 10 minutes (the default Fedora LDAP filter cache time), they will fail to authenticate. It is suggested that the time be changed to 30 seconds. This is done in "$TOMCAT/webapps/fedora/web.xml". Under <filter-name>LdapFilterForAttributes</filter-name>, you should add the following:

                  <init-param>
                          <param-name>lookup-success-timeout-unit</param-name>
                          <param-value>SECOND</param-value>
                  </init-param>
                  <init-param>
                          <param-name>lookup-success-timeout-duration</param-name>
                          <param-value>30</param-value>
                  </init-param>
  

Back to Deployment Guides