Axton,
Thanks, this is sounding more complicated by the minute :) I was hoping
someone had already taken a stab at this. One thing about the credentials, the
Shibboleth implementation we have directs the user to a login page and we do
not have access to them from there.
Brad
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Axton
Sent: Thursday, November 03, 2011 11:33 AM
To: arslist@ARSLIST.ORG
Subject: Re: Shibboleth
** In theory it is possible for the mid-tier authentication. I have read up on
it and looked into what it would take. I will say that it will require some
programming on your part to make it happen.
- In Shibboleth, you will need an IdP and a realm for your mid-tier application
- On the web server in front of the mid-tier, you need something that is
capable of issuing/handling a SAML assertion (an SP)
- You need to hand the SP provided information from the web server to the
servlet container (object; method is implementation dependant)
- Within the mid-tier, you need to implement a custom authentication servlet to
handle the assertion
- Within the ARServer, you need to implement an AREA plugin capable of taking
the data from your custom authentication servlet and authenticating the user
I have intentionally left out the details of how to create a trusted handshake
between the mid-tier and AREA plug-in. This is an area of much debate.
Ideally you would re-validate the credentials passed to the AREA plugin within
the AREA plugin. What is more common is a shared secret between the
authentication servlet and the AREA plugin. I'm not a fan of the shared secret
approach because once the cat's out of the bag (that being the shared secret),
it's out, and people can blindly authenticate to your arserver.
This is all theory, not practice, so there may some things that I've missed.
Also, there may be other ways to approach this, for example, you may not have a
web server in front of your servlet container, in which case the architecture,
and subsequently, the implementation, changes.
Axton Grams
On Thu, Nov 3, 2011 at 9:38 AM, O'Hara, Brad
mailto:br...@ufl.edu>> wrote:
**
Hi,
Has anyone been able to use Shibboleth for authentication?
Thanks,
Brad
Brad O'Hara
Manager: Network Support Services
Computing and Networking Services
University of Florida
net-services.ufl.edu<http://net-services.ufl.edu> : Voice (352)
273-1347 : Fax (352)
273-0743
_attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers
Are"_
_attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers
Are"_
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
