<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Paul, <br>
</p>
<p>I've done an integration of Openathens with Koha using the
mod_auth_mellon Apache module
<a class="moz-txt-link-freetext" href="https://github.com/latchset/mod_auth_mellon">https://github.com/latchset/mod_auth_mellon</a> (rather than using the
EBSCO plugin). <br>
</p>
<p><br>
</p>
<p>The workflow I did is:</p>
<p>1. Checked out the master branch of mod_auth_mellon</p>
<p>2. Navigated into mod_auth_mellon</p>
<p>3. Generated the Koha SP (Service Provider) XML metadata
endpoint, cert and key file. <br>
</p>
<pre>./mellon_create_metadata.sh <full_opac_test_site_url> <full_opac_test_site_url>/saml
</pre>
<p> 4. Moved those files into a new directory
/etc/koha/sites/<instance>/saml<br>
</p>
<p>5. Sent the metadata XML file I'd made to EBSCO and received
their one back and put it in /etc/koha/sites/<instance>/saml<br>
</p>
<p>6. Edit Apache conf file (
/etc/apache2/sites-available/<instance>.conf ):</p>
<pre><Location />
MellonEnable "auth"
MellonUser "NameID"
MellonSPPrivateKeyFile /etc/koha/sites/<instance>/saml/<opac_test_site_url>.key
MellonSPCertFile /etc/koha/sites/<instance>/saml/<opac_test_site_url>.cert
MellonSPMetadataFile /etc/koha/sites/<instance>/saml/<opac_test_site_url>.xml
MellonIdPMetadataFile /etc/koha/sites/<instance>/saml/<client_supplied_metadata>.xml
MellonEndpointPath /saml
# Set environment variables with the values of IdP attributes
MellonSetEnv "principalname" "<IdP_UPN_attribute_name>"
MellonSetEnv "givenname" "<IdP_firstaname_attribute_name>"
MellonSetEnv "surname" "<IdP_surname_attribute_name>"
MellonSetEnv "email" "<IdP_email_attribute_name>"
# Unset and reset X_REMOTE_UPN
Header unset X_REMOTE_UPN
RequestHeader unset X_REMOTE_UPN
RequestHeader set X_REMOTE_UPN %{MELLON_principalname}e
# Unset and reset the X_REMOTE_GIVENNAME
Header unset X_REMOTE_GIVENNAME
RequestHeader unset X_REMOTE_GIVENNAME
RequestHeader set X_REMOTE_GIVENNAME %{MELLON_givenname}e
# Unset and reset the X_REMOTE_SURNAME
Header unset X_REMOTE_SURNAME
RequestHeader unset X_REMOTE_SURNAME
RequestHeader set X_REMOTE_SURNAME %{MELLON_surname}e
# Unset and reset the X_REMOTE_EMAIL
Header unset X_REMOTE_EMAIL
RequestHeader unset X_REMOTE_EMAIL
RequestHeader set X_REMOTE_EMAIL %{MELLON_email}e
</location>
</pre>
<p>Here the <i>IdP_UPN_attribute_name</i> is the attribute (claim)
that Openathens is sending to Koha in the SAML POST request, we're
assigning it to the Mellon environment variable "principalname"
and then putting it in the header as <i>X_REMOTE_UPN</i><br>
</p>
<p><br>
</p>
<p>7. Install the following packages:</p>
<pre>sudo apt-get install libapache2-mod-auth-mellon
</pre>
<pre>sudo s2enmod expires
</pre>
<pre>sudo systemctl restart apache2
</pre>
<pre>sudo apachectl configtest
</pre>
<pre>sudo apachectl restart
</pre>
<pre>apt-cache policy libapache2-mod-auth-mellon
sudo apt-get install liblasso3
sudo apachectl restart
</pre>
<br>
<div class="moz-cite-prefix">8. Amend the koha-conf.xml file adding
the following tags:</div>
<div class="moz-cite-prefix">
<pre><trusted_header_upn>X_REMOTE_UPN</trusted_header_upn>
<trusted_header_givenname>X_REMOTE_GIVENNAME</trusted_header_givenname>
<trusted_header_surname>X_REMOTE_SURNAME</trusted_header_surname>
<trusted_header_email>X_REMOTE_EMAIL</trusted_header_email>
</pre>
</div>
<div class="moz-cite-prefix">9. Somethings to note is that using
mod_auth_mellon is that plack user runs as www-data so you will
need to change the AssignUserID in the Apache conf to be:<br>
</div>
<div class="moz-cite-prefix">
<pre>AssignUserID www-data <instance>-koha
</pre>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">You'll also need to amend your
debian/scripts/koha-plack script to replace:</div>
<div class="moz-cite-prefix">
<pre>instance_user="${instancename}-koha"</pre>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">With:</div>
<div class="moz-cite-prefix">
<pre>instance_user="www-data"</pre>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Also please note when using
mod_auth_mellon you'll need to make sure the Koha instance your
setting this up for is on a standalone server (i.e. no other Koha
instance on the server) because the changing of the user that
Plack runs as introduces a security risk on a multi-instance
server. <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">10. Change the ownership of
/var/cache/koha/<instance> file, because Plack now running
as <i>www-data</i> can not read the file:</div>
<div class="moz-cite-prefix">
<pre>sudo chown www-data -R /var/cache/koha/<instance>
</pre>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">11. You'll need to introduce a
customization in C4/Auth.pm now (though I am shortly going to be
upstreaming this customization so you'll see a bug report from me
for it soon):</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">11a. Add a new subroutine get_header()
- This retrieves the Openathens values stored in the header in the
Apache conf:<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font size="-1"><i>sub get_header {</i></font></div>
<font size="-1"><i>
</i></font>
<div class="moz-cite-prefix"><font size="-1"><i> my ($header) =
@_;</i><i><br>
</i><i>
my $q = CGI->new();</i><i><br>
</i><i>
# Prepend HTTP_ as that's how they come through</i></font></div>
<font size="-1"><i>
</i></font>
<div class="moz-cite-prefix"><font size="-1"><i> my $h_val =
$q->http('HTTP_' . $header);</i><i><br>
</i><i>
return $h_val;</i><i><br>
</i><i>
}</i></font></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">11b. Amend C4::Auth->checkauth():</div>
<div class="moz-cite-prefix"><font size="-1"><i><br>
</i></font></div>
<div class="moz-cite-prefix"><font size="-1"><i>my $trusted_header =
C4::Context->config('trusted_header');</i><i><br>
</i><i>my $trust_head_val = get_header($trusted_header) if
$trusted_header; #Store the header values returned from
get_header subroutine which are: UPN, givenname, surname and
email in $trust_head_val hash. </i></font><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">....</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Now above this line (<font size="-1"><i><span
class="pl-k">elsif</span></i><i> ( </i><i><span
class="pl-smi">$emailaddress</span></i><i>) {</i></font>
) add in a new elsif:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font size="-1"><i><span class="pl-k"><br>
</span></i></font></div>
<div class="moz-cite-prefix"><font size="-1"><i>} elsif
($trust_head_val && $trust_head_val ne '(null)') {</i><i><br>
</i><i> $userid=$trust_head_val;</i><i><br>
</i><i> # This uses something like</i><i><br>
</i><i> #
<trusted_header>X_REMOTE_USER</trusted_header></i><i><br>
</i><i> # in koha-conf.xml, and checks that header on the
incoming request.</i><i><br>
</i><i> # If it is there and contains a user ID, we
believe it and log the</i><i><br>
</i><i> # user in with that. This is intended for things
like plack behind a</i><i><br>
</i><i> # reverse proxy that does auth, and puts the user
ID into a header.</i><i><br>
</i><i> #</i><i><br>
</i><i> # Basically, we treat it just like basic auth.</i><i><br>
</i><i> $cookie = $query->cookie(</i><i><br>
</i><i> -name => 'CGISESSID',</i><i><br>
</i><i> -value => '',</i><i><br>
</i><i> -expires => '',</i><i><br>
</i><i> -HttpOnly => 1,</i><i><br>
</i><i> );</i><i><br>
</i><i> C4::Context->_new_userenv(undef);</i><i><br>
</i><i> $loggedin = check_user_exists($userid); #Call
check_user_exists subroutine and check if there is a
borrower.userid matching the UPN</i><i><br>
</i><i> </i><i><br>
</i><i> }</i><i><br>
</i></font></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Note: This is assuming the UPN
Openathens is sending Koha matches/is stored in the
borrower.userid. If Openathens wants to only use email i.e. the
email address Openathens sends Koha in POST request matches
borrowers.email then you'll need to amend the SQL query in
check_user_exists.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">A couple more things to note:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">1. If your Koha server is behind a load
balancer then you need to include the https:// directive in the
servername e.g. Servername <a class="moz-txt-link-freetext" href="https://demo.koha.com">https://demo.koha.com</a></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">This is because SAML requires the web
server to identify as the same server in the SP metadata (e.g.
https://<URL>). But when a Koha server is behind a LB it
does not identify itself including the https protocol so you need
to include it. <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">There is more detail on that here:
<a class="moz-txt-link-freetext" href="https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html#_server_name">https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html#_server_name</a><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I know that is for Fedora (I can't find
the documentation link I had discussing it in a Ubuntu context)
but it is the same principal.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I hope all this helps and if you need
any more information please let me know!</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Thanks,</div>
<div class="moz-cite-prefix">Alex<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 25/03/20 5:00 am, Chris Cormack
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:626708CA-A6BF-4821-8CB6-D0779207515A@catalyst.net.nz">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<br>
<br>
<div
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";padding:3.0pt
0in 0in 0in">
<hr style="border:none;border-top:solid #E1E1E1 1.0pt">
<b>From:</b> Paul Poulain <a class="moz-txt-link-rfc2396E" href="mailto:paul.poulain@biblibre.com"><paul.poulain@biblibre.com></a><br>
<b>Sent:</b> 25 March 2020 4:57:14 AM NZDT<br>
<b>To:</b> <a class="moz-txt-link-rfc2396E" href="mailto:koha-devel@lists.koha-community.org">"koha-devel@lists.koha-community.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:koha-devel@lists.koha-community.org"><koha-devel@lists.koha-community.org></a><br>
<b>Subject:</b> [Koha-devel] Koha and Ebsco OpenAthens<br>
</div>
<br>
<pre class="k9mail">Hello,
does anyone have experience in setting OpenAthens for Koha. There's an
Ebsco plugin (<a href="https://github.com/ebsco/openathens-koha-plugin)," moz-do-not-send="true">https://github.com/ebsco/openathens-koha-plugin),</a> but it
seems to be for old versions of Koha.
any feedback highly appreciated !
--
Paul Poulain, Associé-gérant / co-owner
BibLibre, Services en logiciels libres pour les bibliothèques
BibLibre, Open Source software and services for libraries<hr>Koha-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a href="https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" moz-do-not-send="true">https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a href="http://www.koha-community.org/" moz-do-not-send="true">http://www.koha-community.org/</a>
git : <a href="http://git.koha-community.org/" moz-do-not-send="true">http://git.koha-community.org/</a>
bugs : <a href="http://bugs.koha-community.org/" moz-do-not-send="true">http://bugs.koha-community.org/</a>
</pre>
<br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my
brevity.
</blockquote>
<pre class="moz-signature" cols="72">--
Alex Buckley
Koha Developer
Catalyst IT - Expert Open Source Solutions
DDI: +64 4 803 2378 | Mob: +64 22 429 6157 | <a class="moz-txt-link-abbreviated" href="http://www.catalyst.net.nz">www.catalyst.net.nz</a>
CONFIDENTIALITY NOTICE: This email is intended for the named recipients only. It may contain privileged, confidential or copyright information. If you are not the named recipient, any use, reliance upon, disclosure or copying of this email or its attachments is unauthorised. If you have received this email in error, please reply via email or call +64 4 499 2267.</pre>
</body>
</html>