May 2010


Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Christopher Bongaarts <[log in to unmask]>
Reply To:
UofMN CSS Web Development <[log in to unmask]>
Thu, 20 May 2010 12:04:07 -0500
text/plain (71 lines)
Aaron J. Zirbes wrote:
> I'm trying to move some stuff from Chris's CAH to Shibboleth, but I'm
> having a hard time finding any U of MN specific documentation for our U
> of MN IDP.
> There's an excellent writeup on U of MN CAH that Chris did a while back,
> and I was hoping for something similar for Shib.

This is in the works, but is not out there yet.  For now, I can 
summarize the U specific aspects of the Shib service:

  - All service providers (SPs) need to be registered with the IdP to 
get service.  This is different than CAH, where anyone could use 
WEBCOOKIE to get an Internet ID back without any coordination with us. 
Registration basically means exchanging SAML metadata (an XML document 
that describes your IdP or SP).

- Shib single-signon is integrated with CAH single-signon.  So you only 
need to log in once to a CAH _OR_ Shib-enable app, and you can use any 
other Shib or CAH app with equal or lesser minimum auth requirements 
without relogging in.

- If your application would be useful outside the University of 
Minnesota, we can add it to the InCommon Federation.  Then you can 
leverage IdPs at other institutions across North America.

- Access to additional data beyond a bare Internet ID requires an 
approved data Access Request Form, just as it did with CAH.  In Shib, 
you get the data back as SAML attributes.

The Shib Wiki is the best place to learn about Shib and SAML in general. 
   One of the advantages of SAML vs. CAH is that the former is a 
standardized, well documented protocol in use by thousands of 
organizations.  That minimizes the amount of site-specific documentation 

> I was able to glean some information such as the server name
> (idp.shib.umn.edu), but not enough to get functioning.

Correct - you need our metadata, and we need to add yours.

> Is there anything in the U of MN Wiki, or on the OIT web site to get me
> working, or is there someone specific I should talk to?

The right contact for now is the Identity Management group (of which I 
am part), <[log in to unmask]>

> This will be running on an Apache 2.2 with an AJP connector to Tomcat 6
> on Ubunut Server 10.04 LTS 64-bit.
> I'd rather skip the Apache part, but it appears that Shib only works
> with Apache
> (IIS 7 on Win Srv 2008 R2 64-bit will be next on my list)

The Shibboleth SP software runs in Apache or IIS.  If you google around 
for "java sp" you might find pointers to some work done by the Danish 
government to do a SAML implementation in Java.  One other notable 
alternative is simpleSAMLphp: http://rnd.feide.no/simplesamlphp/ which 
is a pure PHP implementation of the SAML protocols.  This is an 
advantage of using a standard protocol: you don't have to use Shibboleth 
to interoperate with our SAML IdP...

As we go along and refine our procedures and documentation, we'll be 
putting more information out there, and I'll probably end up taking the 
show on the road to CSS-DEV, net-people, etc. for presentations on using it.

%%  Christopher A. Bongaarts   %%  [log in to unmask]       %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%