• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

Configuration Guide to add Guest Login support to a service

This page describes how to configure a Shibboleth Service Provider to enable Guest Login. For more information on the Guest Login and the risks of enabling it, please first consult the Guest Login service page.

Adding Guest Login Support to an AAI service

In order to add the Guest Login feature to a Service Provider registered in the SWITCHaai federation or the AAI Test federation, the Service Provider must load the Guest Login metadata. For a Shibboleth Service Provider 2.x this can be achieved by the following steps:

1. IMPORTANT: Before continuing, note that by allowing Guest Login users to your service, this service gets opened-up to the whole world unless you add some additional validation steps to your service to selectively restrict access. Be aware of the consequences of this step and also think of possible license issues that may arise when letting non-education people access your service.
   By applying the following configuration changes and thus enabling Guest Login support, you agree that SWITCH cannot be held responsible or liable for any actions of Guest Login users.
2. Open the shibboleth2.xml configuration file (usually in /etc/shibboleth/) in a text editor as root user.
3. Locate the XML element MetadataProvider of type="Chaining"
4. Inside that MetadataProvider element add the following inner MetadataProvider element to load the Guest Login metadata.

           <!-- Guest Login metadata, refresh hourly -->
           <MetadataProvider type="XML" 
                uri="https://aai.guest-login.ch/idp/shibboleth"
                backingFilePath="metadata.guest-idp.xml" 
                reloadInterval="3600">
           </MetadataProvider>
   

   Please note that this metadata file is not signed!
5. Test the configuration, e.g. with shibd -tc /etc/shibboleth/shibboleth2.xml
6. Restart the shibd, e.g. with /etc/init.d/shibd restart
7. Add a link/login button to the login page of your service. The login page could as an example (using the Embedded WAYF) look like:

   If your organisation is not in the list of SWITCHaai organisations above, click on Guest Login and create an account if you haven't done this already.
   
   The URL of the Guest Login Button must be of the form:
   https://aai.guest-login.ch/idp/profile/SAML2/Unsolicited/SSO?providerId=#URL-encoded entityID of Service Provider#&target=#URL-encoded Target URL#,
   e.g. https://aai.guest-login.ch/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Faai-viewer.switch.ch%2Fshibboleth&target=https%3A%2F%2Faai-viewer.switch.ch%2Faai%2F%3Ffoo%3Dbar
   
   You can create the URL using the following form. Enter:
   Service Provider entityID
   Examples for valid Service Provider Session entityIDs are https://myhost.uni.ch/shibboleth or https://otherhost.uni.ch/myapp/shibboleth. By entering the hostname you can use the auto-completion feature.
   
   Service Provider Target URL
   Specify here the URL of the web page that the user shall be redirected after account creation and/or authentication. This is usually a protected page. If no URL is provided, the user will be redirected to the homeURL defined in the Service Provider's configuration.
   
   Compose Login link
   
   Login link:
   
   

   After clicking on the above button and trying out the resulting link, just copy and paste the HTML snippet to any web page.

8. Test access via the above link using a Guest Login account.

Disabling or removing Guest Login support

If the Guest Login support shall be disabled for some reason, follow these steps:

1. Before continuing, note that the following steps will prevent all Guest Login users from accessing the service.
2. Open the shibboleth2.xml configuration file (usually in /etc/shibboleth/) in a text editor as root user.
3. Locate the MetadataProvider that loads the Guest Login metadata and comment it out or remove it
4. Restart the shibd, e.g. with /etc/init.d/shibd restart
5. Remove any link on your service that was added to allow users to login with a Guest Login account

Access Control Hints

If Guest users shall be denied access to certain pages or directories of a service, one can use a simple access control rule in Apache like:

<Location /no-guest-users>
    AuthType Shibboleth
    ShibRequestSetting requireSession true
    Require homeOrganizationType ~ ^[^g][^u][^e][^s][^t]
</Location>

or in shibboleth2.xml (IIS or Apache):

<Host name="toolbox.switch.ch">
    <Path name="all-users" authType="shibboleth" requireSession="true"/>
    <Path name="no-guest-users">
            <AccessControl>
                <NOT><Rule require="homeOrganization">guest-login.ch></Rule></NOT>
            </AccessControl>
    </Path>
</Host>

Please also consult the page on how to use Shibboleth access control rules for further information on this topic.