AC Login - installation and configuration guide¶
- Table of contents
- AC Login - installation and configuration guide
Overview¶
This method utilizes the fact, that Adobe Connect accepts user's session as a GET parameter with no further checks. Of course, such session must exist at the server side. The authentication is performed by an external login application running on an external server. The login application is protected by a Shibboleth SP. If a user authenticates successfully, the application initiates authentication to the Adobe Connect server on behalf of the user. After a successfull authentication to the server, the login application just redirects the user to the server, passing the session as a GET variable.
The login application is written in PHP and runs under the Apache web server. Its communitation with the Adobe Connect server is achieved through generic API written in PHP as well. It provides an application layer to the remote XML API supplied with Adobe Connect.
Requirements¶
- Shibboleth Service Provider 2.x (site)
- Apache web server with SSL and PHP support
- AC API - PHP library for the Adobe Connect API (source)
- AC Login (source)
Installation of the required libraries¶
Zend Framework¶
Download the latest version and unpack it at a suitable location on the target system, for example in the /var/lib/php/ directory.
AC API¶
The library implements a client API for the remote XML API of the Adobe Connect server. Get the source from the repository and place it at a suitable location on the target system, for example in the /var/lib/php/ directory.
git clone https://homeproj.cesnet.cz/git/acapi.git
Installation and configuration of the application¶
Get the source from the repository and place it somewhere on the target system. We'll refer to the newly created directory as ACLOGIN_HOME.
git clone https://homeproj.cesnet.cz/git/aclogin.git
Apache¶
In Apache configuration we need to create an alias to the ACLOGIN_HOME/www directory and protect it with Shibboleth:
Alias /aclogin ACLOGIN_HOME/www <Directory ACLOGIN_HOME/www> AuthType shibboleth ShibRequireSession On require valid-user </Directory>
Shibboleth¶
The following user attributes should be properly mapped in the attribute-map.xml configuration file:
- UID (username or any user identifier) - generally it's one of these attributes: eduPersonPrincipalName, eduPersonTargetedId, etc.
- firstname
- surname
You may choose your own variable names for those attributes, since you will have to map them to a specific variables in the application configuration anyway. Just a small note about the UID attribute. In the shibboleth2.xml configuration file there is a specification about how the REMOTE_USER variable is set:
<ApplicationDefaults id="default" policyId="default"
entityID="https://sp.example.org/shibboleth"
homeURL="https://sp.example.org/index.html"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false">
In this particular example (default settings) if the eppn (eduPersonPrincipalName) attribute is set, the REMOTE_USER variable will take it's value, else it will take the persistent-id attribute value and so on. In the configuration (see below) there will be two choices, how to extract the user ID - directly from an attribute or the aggregated value of REMOTE_USER.
Adobe Connect¶
The login application is communicating with the Adobe Connect server through its remote interface. That way the application performs operations (creating and updating users, user group settings, etc.) which require administrator privileges. So a dedicated administrator account should be created for the application.
(!) By default, Adobe Connect uses users' emails as usernames. That should be forbidden in Administration –-> Users and Groups -–> Edit Login and Password Policies.
AC Login¶
The external libraries are initialized in the ACLOGIN_HOME/init.php file. Make sure you have set the right paths to them:
// The Zend framework directory
define('ZEND_FW_DIR', '/var/lib/php/zend/');
// The directory, where the AC PHP API is installed
define('ACAPI_LIB_DIR', '/var/lib/php/acapi/');
The configuration is stored in ACLOGIN_HOME/config/aclogin.ini. After unpacking the application the configuration file doesn't exist, but there is a sample aclogin.ini.dist file with the typical configuration with all the directives explained. It's a common INI file composed of sections with „key = value“ pairs.
For a quick start you need to set these directives:
[general]- admin_email
- entity_id
- password_salt
- redirect_uri
- uid_field OR remote_user_field
- mail_field
- givenName_field
- sn_field
- uri
- username
- password
Multiple instances¶
It is possible to use a single AC Login installation with multiple Adobe Connect servers (instances). Each instance is defined by a name and has a separate configuration file. The instance configuration file is completely like the standard configuration file. Different instance names are mapped to its configuration files in the config/instances.php file (it may be created from the instances.php.dist file).
A specific instance is invoked by using the GET parameter instance. For example, if called with the following URL, AC Login uses the configuration file assigned to the instance "connect":
https://example.com/aclogin/?instance=connect
Testing the installation¶
To test the installation, visit https://HOSTNAME/aclogin/ (HOSTNAME is the address of the server, the login application is installed on). If everything is OK, a standard federated login should be initiated (redirection to the WAYF, then to the home IdP). After that, you will be redirected to the Adobe Connect application itself and you will be logged in.
Further customizations¶
Generally it's a good idea to remove or hide the login form, which is displayed to unauthenticated users. Instead, you may put a link or a button, that will redirect the user to the login application (https://HOSTNAME/aclogin/). The Adobe Connect user interface is defined in XSL files. For example, the login form is defined in BREEZE_HOME\appserv\apps\system\login.xsl.