Hi Theodoros,
In data mercoledì, 6 giugno 2012 14.56:58, Theodoros Theodoropoulos ha
scritto:
> My institution uses a Shibboleth 2 IDP (with LDAP authentication that
> follows the eduPerson schema) and I'm looking for a way to /quickly/
> implement Shibboleth authentication in a new Invenio (v1.x) installation.
>
> For the moment, I have:
> * Installed Invenio v1.x (from master) and created the demo site :)
> * Installed (but not yet configured) the latest SP from the official
> Shibboleth repo, on the Invenio site
> * Configured the access_control_config file to ensure
> CFG_EXTERNAL_AUTH_USING_SSO is set (in a similar way to what CERN does)
> * Rerun the inveniocfg --create-apache-conf to create the additional
> apache directives needed for Shibboleth
>
> So far, everything does _not_ work, as expected...
> https://CFG_SITE_URL/youraccount/login|Shibboleth.sso/ correctly returns
> a "No MetadataProvider" exception, because I have not yet configured the
> shibboleth2.xml, attribute-map.xml, etc files (this is the next in my
> TODO list).
>
> For sure, I will have to come back with more specific questions, once I
> have a proper response from the Institutional IDP with all the required
> attributes, however, in the meantime, I was wondering how difficult it
> would be for a novice python programmer to implement the required
> classes mentioned in webaccess-admin-guide for the shibboleth
> authentication, and whether anyone who has already been through this, is
> willing to share the knowledge and experiences behind the process.
Invenio comes out-of-the-box with a plugin that supports Shibboleth 2.
It's modules/webaccess/lib/external_authentication_sso.py
What it does implicitly is loading all information about the user from
environment variables that Shibboleth modules places on the request.
As you can see from the starting of this file there are several config
variable that you might tune. For example, the module is trying to look for
variables called ADFS_... and e.g. will retrieve the email of the user from
ADFS_EMAIL.
Your mileage may vary :-)
What I'd suggest is that you clone such plugin so that you are then free to
tweak this parameters. You will then have to enable it in
access_control_config.py as well...
But basically it will all depends on your shibboleth2.xml and attribute-
map.xml files and the names of variables that Shibboleth will hence put in the
environment of the request.
Good luck! Let me know if you need any other info...
Cheers!
Sam
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
