Hi Chris,
A few years back, I set up CSUF's VCL to authenticate and use the
attributes from InCommon.
(Thanks again Josh!)
I even added a few attributes like 'eduCourseMember' and 'isMemberOf' (
based on ldap groups )
I'd be happy to help. Send me a message if you're interested
__Jim
On 8/15/2014 8:19 AM, Christopher Wolfe wrote:
All,
Has anyone had experience setting up VCL to
authenticate/authorize against InCommon? I've seen, but not explored, what
appears to be shibboleth code in conf.php.
My understanding is that I need to map the attributes provided by LDAP, etc.
into the data structure in conf.php. However, I foresee a few pitfalls, and
am not sure how best to
accommodate them. First, user names (first, last) are not provided for
students for privacy reasons. Second, depending on type of account (staff,
student, admin, etc.) different
attribute stores/IPs are available, with different attribute names.
Regarding the first point, is it possible to supply a generic name for all
users (i.e. John Doe)? Would this cause
problems with VCL? Regarding the second point, is it sufficient to add an
entry to authMechs for each provider? The code appears to be structured this
way, so I assume so. If so,
how is the mechanism selected for a particular login? Is each mechanism
tried until one succeeds or all fail? If so, how could I achieve
preferential ordering of mechanisms (I believe
Perl 5.18+ hashes are randomized, and so we can't rely on the ordering
specified in conf.php)?
Thanks,
Chris Wolfe
