Ilios v3 and Shibboleth Authentication
Ilios makes a few assumptions regarding the Shibboleth implementation that need to be met in order for it to work out of the box.
As of version 3.13, these defaults can be overridden via config options in your installation's parameters.yml
file.
-
Ilios expects the IdP to assert
eppn
as the user-identifying attribute in authenticated user sessions. This attribute can be changed by overriding theshibboleth_authentication_user_id_attribute
configuration parameter.
ACHTUNG! Mapping to something other than EPPN carries the potential of authenticating with identities that are not guaranteed to be unique across campuses. This makes it difficult (maybe impossible) to hook up an Ilios instance to a federation like InCommon without first remapping all existing users. -
By default, Ilios will assume your SP's log-in page to be located at
/Shibboleth.sso/Login
. Logging out of Ilios will land the user at the/Shibboleth.sso/Logout
path on the SP.
Both paths can be overridden via theshibboleth_authentication_login_path
andshibboleth_authentication_logout_path
parameters.