[rabbitmq-discuss] Rabbit CAS(Central Authentication Service) or Shibboleth integration

Fri Jun 28 08:51:34 BST 2013

On Wed, 2012-10-10 at 11:32:41 -0700, Prabodh Upreti wrote:
> hello
> 
> Could you please explain how you have configured Shibboleth with rabbit.
> Sounds like I need to do the same with CAS.  I don't want to go the route of
> creating a plugin. thank you

Actually, I solved this with a hackish solution. As I stated before we
use Shibboleth but it should work with CAS.

Important: We use one admin account which all admins use.
While you can make it work with several accounts and create a mapping of
SSO users <=> RabbitMQ users that would involve alot of pain I'd recon
(unless you'd store the RabbitMQ username as a attribute in your SSO..
Well, ok. It might work, but don't bother IMO).

I'll describe the general idea so you can create your own solution:
* Setup an webserver (Apache in our case) with your authentication
module installed (Shibboleth in our case).
* Do an HTTP rewrite to /autologin if a cookie, e.g. tried_shib=1, isn't set.
* On /autologin run an CGI-script (Perl in our case, doesn't matter
which language) which does:
** Reads the your "rabbitmqadmin.conf" file and get the default username
and password.
** Checks if the user should be autologgedin or not (e.g. via a group
membership, affiliation etc)
** Set the cookie named "auth" to the base64 encoded value of
"username:password" and set the cookie in your HTTP rewrite, e.g.
tried_shib=1 in our case and expire it after 3 minutes (so that users
can retry to login if they accidentally log out e.g.).
** HTTP redirect to /
* (Remember to disable your authentication module on "/api".)

Hope you can make it work.

Br,
- Simon

P.S. I added Shibboleth to the subject for SEO reasons

____________________________________

Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden

www.su.se/it

____________________________________