-
Notifications
You must be signed in to change notification settings - Fork 28
Open Journal Systems (OJS)
Open Journal Systems (OJS) is an open source software application for managing and publishing scholarly journals. Originally developed and released by PKP in 2001 to improve access to research, it is the most widely used open source journal publishing platform in existence, with over 10,000 journals using it worldwide.
All examples assume you have installed and configured Shibboleth with FastCGI support and have the authorizer and responder operating already with suitable nginx location blocks and have shib_request
available.
With FastCGI (or other non-HTTP proxy) hosting of our application, we can avoid the need for headers and avoid the possibility of spoofing. Bear in mind this feature requires nginx-http-shibboleth
2.0 or above.
OJS 3's Shibboleth plugin has support for mandatory or optional implicit authentication -- the configuration for both types of configuration.
In short, the configuration below sets up one specific endpoint to receive the Shibboleth
variables (/shibboleth/shibLogin
) and sets OJS up to allow Shibboleth authentication
and read a user's data from corresponding environment variables.
-
Install https://github.com/pkp/shibboleth into your OJS environment
-
Login to OJS, click Administration, then Site Settings, then Plugins
-
Enable
Shibboleth Authentication Plugin
. -
Under
Shibboleth Authentication Plugin
, clickSettings
and enter the following:- Shibboleth SP path:
/Shibboleth.sso/Login
-
$_SERVER
environment variable keys - set these as per yournginx.conf
:- Shibboleth UIN:
EMAIL
- Shibboleth first or given name:
GIVENNAME
- Shibboleth last, family, or surname:
SN
- Shibboleth e-mail address:
EMAIL
- Shibboleth UIN:
- List of Shibboleth user IDs or UINs who are OJS administrators: A space-delimited list of UINs to make admin
- Optional Shibboleth Login: Enabled
- Labels: customise any labels you want
and click
OK
to save. - Shibboleth SP path:
server {
# ... other configuration for serving OJS, PHP, etc
# ... other location blocks for nginx-http-shibboleth as per https://github.com/nginx-shib/nginx-http-shibboleth#configuration
# Shibboleth authentication end-point for OJS
location ~ ^/index.php/(.*?)/shibboleth/shibLogin$ {
shib_request /shibauthorizer;
# Add or modify to suit your Shibboleth variable configuration
# This ensures that ONLY this endpoint receives the variables as FastCGI params
shib_request_set $shib_givenname $upstream_http_variable_givenname;
fastcgi_param GIVENNAME $shib_givenname;
shib_request_set $shib_sn $upstream_http_variable_sn;
fastcgi_param SN $shib_sn;
shib_request_set $shib_email $upstream_http_variable_email;
fastcgi_param EMAIL $shib_email;
shib_request_set $shib_organizationname $upstream_http_variable_organizationname;
fastcgi_param ORGANIZATIONNAME $shib_organizationname;
include conf.d/php-location;
}
}
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
more_clear_headers 'X-Powered-By';
In short, the configuration below sets up one specific endpoint to receive the Shibboleth
variables (implicitAuthReturn
) and sets OJS up to allow Shibboleth authentication
and read a user's data from corresponding environment variables.
server {
# ... other configuration for serving OJS, PHP, etc
# ... other location blocks for nginx-http-shibboleth as per https://github.com/nginx-shib/nginx-http-shibboleth#configuration
# Shibboleth authentication end-point for OJS
location = /index.php/index/login/implicitAuthReturn {
shib_request /shibauthorizer;
# Add or modify to suit your Shibboleth variable configuration
# This ensures that ONLY this endpoint receives the variables as FastCGI params
shib_request_set $shib_givenname $upstream_http_variable_givenname;
fastcgi_param GIVENNAME $shib_givenname;
shib_request_set $shib_sn $upstream_http_variable_sn;
fastcgi_param SN $shib_sn;
shib_request_set $shib_email $upstream_http_variable_email;
fastcgi_param EMAIL $shib_email;
shib_request_set $shib_organizationname $upstream_http_variable_organizationname;
fastcgi_param ORGANIZATIONNAME $shib_organizationname;
include conf.d/php-location;
}
}
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
more_clear_headers 'X-Powered-By';
; Is implicit authentication enabled or not
; Optional allows both local login and Shibboleth at the same time
implicit_auth = Optional
; Implicit Auth Header Variables
; Add or adjust configuration for other variables. MUST match Nginx's fastcgi_params
implicit_auth_header_first_name = GIVENNAME
implicit_auth_header_last_name = SN
implicit_auth_header_email = EMAIL
;implicit_auth_header_phone = TELEPHONENUMBER
;implicit_auth_header_initials = METADATA_INITIALS
implicit_auth_header_mailing_address = ORGANIZATIONNAME
implicit_auth_header_uin = EMAIL
; A space delimited list of uins to make admin
implicit_auth_admin_list = "[email protected],[email protected],[email protected]"
; URL of the implicit auth 'Way Finder' page. See pages/login/LoginHandler.inc.php for usage.
implicit_auth_wayf_url = "/Shibboleth.sso/Login"