-
Notifications
You must be signed in to change notification settings - Fork 29
Open Journal Systems (OJS)
Open Journal Systems (OJS) is an open source software application for managing and publishing scholarly journals. Originally developed and released by PKP in 2001 to improve access to research, it is the most widely used open source journal publishing platform in existence, with over 10,000 journals using it worldwide.
All examples assume you have installed and configured Shibboleth with FastCGI support and have the authorizer and responder operating already with suitable nginx location blocks and have shib_request
available.
OJS 3 has Shibboleth support but lacks Optional implicit authentication; it is either all or nothing at present.
Document is under development at present.
With FastCGI (or other non-HTTP proxy) hosting of our application , we can avoid the need for headers and avoid the possibility of spoofing. Bear in mind this feature requires nginx-http-shibboleth 2.0 or above.
In short, the configuration below sets up one specific endpoint to receive the Shibboleth
variables (implicitAuthReturn
) and sets OJS up to allow Shibboleth authentication
and read a user's data from corresponding environment variables.
server {
# ... other configuration for serving OJS, PHP, etc
# ... other location blocks for nginx-http-shibboleth as per https://github.com/nginx-shib/nginx-http-shibboleth#configuration
# Shibboleth authentication end-point for OJS
location = /index.php/index/login/implicitAuthReturn {
shib_request /shibauthorizer;
# Add or modify to suit your Shibboleth variable configuration
# This ensures that ONLY this endpoint receives the variables as FastCGI params
shib_request_set $shib_givenname $upstream_http_variable_givenname;
fastcgi_param GIVENNAME $shib_givenname;
shib_request_set $shib_sn $upstream_http_variable_sn;
fastcgi_param SN $shib_sn;
shib_request_set $shib_email $upstream_http_variable_email;
fastcgi_param EMAIL $shib_email;
shib_request_set $shib_organizationname $upstream_http_variable_organizationname;
fastcgi_param ORGANIZATIONNAME $shib_organizationname;
include conf.d/php-location;
}
}
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
more_clear_headers 'X-Powered-By';
; Is implicit authentication enabled or not
; Optional allows both local login and Shibboleth at the same time
implicit_auth = Optional
; Implicit Auth Header Variables
; Add or adjust configuration for other variables. MUST match Nginx's fastcgi_params
implicit_auth_header_first_name = GIVENNAME
implicit_auth_header_last_name = SN
implicit_auth_header_email = EMAIL
;implicit_auth_header_phone = TELEPHONENUMBER
;implicit_auth_header_initials = METADATA_INITIALS
implicit_auth_header_mailing_address = ORGANIZATIONNAME
implicit_auth_header_uin = EMAIL
; A space delimited list of uins to make admin
implicit_auth_admin_list = "[email protected],[email protected],[email protected]"
; URL of the implicit auth 'Way Finder' page. See pages/login/LoginHandler.inc.php for usage.
implicit_auth_wayf_url = "/Shibboleth.sso/Login"