Restoring GeoNetwork Shibboleth Support
GeoNetwork used to offer since version 2.4.0 a Shibboleth authentication mechanism for logging in. Shibboleth is an opensource authentication framework which provides SSO access across different organizations allowing also a federated approach. During the transition of GeoNetwork to Spring Security in recent versions, many authentication and authorization backends were ported over (e.g. CAS, LDAP), but Shibboleth was forgotten in a dark corner.
A customer of ours needed Shibboleth support to be ported on GeoNetwork 2.10.x as it is the Enterprise mechanism used for authentication and authorization purposes. The first part of the work consisted in restoring the explicit login as it worked on GeoNetwork 2.6.x, i.e. press the “Shibboleth login” button and make the Shibboleth login procedure start, instead of entering credentials in the GeoNetwork‘s own form.
Furthermore a new use case arose, which is quite typical in Single Sign On environments but was not implemented yet in GeoNetwork: when a user requests a protected resource, the system should ensure that the user is authorized to access such resource; after the authentication step (asking for credentials if needed), the user should be redirected back to the requested resource. This use case is now working both under Shibboleth and, thanks to a few updates we did, it’s working when using form authentication as well. The work ha been completed and you can find the related commits in this pull request. It will be merged in a few days into the 2.10.x branch. If you are interested, you can find more technical information on this github wiki page.
It worth mentioning that this work was performed as part of our GeoSolutions Enterprise Services offer, hence if you want to know more about how we can help your organization reaching its goals, feel free to contact us!