Aaron J. Zirbes wrote:
> I'm trying to move some stuff from Chris's CAH to Shibboleth, but I'm
> having a hard time finding any U of MN specific documentation for our U
> of MN IDP.
>
> There's an excellent writeup on U of MN CAH that Chris did a while back,
> and I was hoping for something similar for Shib.
This is in the works, but is not out there yet. For now, I can
summarize the U specific aspects of the Shib service:
- All service providers (SPs) need to be registered with the IdP to
get service. This is different than CAH, where anyone could use
WEBCOOKIE to get an Internet ID back without any coordination with us.
Registration basically means exchanging SAML metadata (an XML document
that describes your IdP or SP).
- Shib single-signon is integrated with CAH single-signon. So you only
need to log in once to a CAH _OR_ Shib-enable app, and you can use any
other Shib or CAH app with equal or lesser minimum auth requirements
without relogging in.
- If your application would be useful outside the University of
Minnesota, we can add it to the InCommon Federation. Then you can
leverage IdPs at other institutions across North America.
- Access to additional data beyond a bare Internet ID requires an
approved data Access Request Form, just as it did with CAH. In Shib,
you get the data back as SAML attributes.
The Shib Wiki is the best place to learn about Shib and SAML in general.
One of the advantages of SAML vs. CAH is that the former is a
standardized, well documented protocol in use by thousands of
organizations. That minimizes the amount of site-specific documentation
necessary.
> I was able to glean some information such as the server name
> (idp.shib.umn.edu), but not enough to get functioning.
Correct - you need our metadata, and we need to add yours.
> Is there anything in the U of MN Wiki, or on the OIT web site to get me
> working, or is there someone specific I should talk to?
The right contact for now is the Identity Management group (of which I
am part), <[log in to unmask]>
> This will be running on an Apache 2.2 with an AJP connector to Tomcat 6
> on Ubunut Server 10.04 LTS 64-bit.
>
> I'd rather skip the Apache part, but it appears that Shib only works
> with Apache
> (IIS 7 on Win Srv 2008 R2 64-bit will be next on my list)
The Shibboleth SP software runs in Apache or IIS. If you google around
for "java sp" you might find pointers to some work done by the Danish
government to do a SAML implementation in Java. One other notable
alternative is simpleSAMLphp: http://rnd.feide.no/simplesamlphp/ which
is a pure PHP implementation of the SAML protocols. This is an
advantage of using a standard protocol: you don't have to use Shibboleth
to interoperate with our SAML IdP...
As we go along and refine our procedures and documentation, we'll be
putting more information out there, and I'll probably end up taking the
show on the road to CSS-DEV, net-people, etc. for presentations on using it.
--
%% Christopher A. Bongaarts %% [log in to unmask] %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
|