External shibboleth authentication

Hi All,

Question regarding authentication:

Our setup is a bit strange. We have a single web server which hosts our shibboleth server provider, as well as a discovery service, for selecting which IDP to authenticate against. Obviously on that server we are running shibboleth so I can use AuthType shibboleth for various pages. However, we run Ubuntu on the web server, and from what I understand OpenOnDemand should be on Centos. I have an OOD installation on Centos 8 running already (I would prefer for it to be on a different node than the web node). Is there a way I can push the authentication I got from my web server shibboleth over a proxy to OpenOnDemand?

Also, I can just proxy a root domain but I was curious if it was possible to change the site prefix for the OOD installation so I could proxy to /ood from my normal domain, for example.

Let me know if you need me to clear anything up and thanks for your time!


Hi and welcome!

Lot’s of questions here - the first about shibboleth auth. I’m not sure I follow the question. You have shibboleth setup on an apache already. What’s the issue with duplicating part or all of that config on another apache? I guess you’re looking for a SSO experience where if they authenticate with one, they authenticate with the other. I’m not familiar enough with shibboleth to know how that may work on the IDP side, but I’m guessing there’s a way. But again I’d guess it’s on the IDP side.

Instead of /pun I think you can set pun_uri in ood_portal.yml. Here are reference docs. That said - I’ll bet /pun is hard coded somewhere, so please reach out with bug tickets if you run into issues with this.


Oh! And the next version, 2.1 is going to be available on Ubuntu 20.04.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.