Project

General

Profile

Actions
History

Wiki »

Standalone discovery » History » Revision 2

« Previous | Revision 2/3 (diff) | Next »
Redmine Admin, 01/10/2017 09:39 AM

Standalone discovery (shibboleth)

We need to use a standalone idp discovery in our setup. If you don't have any specific requirements (like edugain in our case) you can use the one provided by clarin (http://clarin.eu/content/clarin-discovery-service).

Deploy and setup idpdiscovery.js

When you are accessing a protected resource a session must be started. What happens (when accessing a protected resource) is configured in shibboleth2.xml under SessionInitiator. In our case you are shown a page that lets you select an IDP. This page can be provided by various entities (eg. eduid.cz, clarin.eu, dfn...), but in order to list all IDPs that are allowed in our configuration, we have to provide our own.

One other parameter that is passed around (except for the selected IDP) is the url of the protected resource. That's where you want to return to with started session.

The idp discovery page is done once again using Discojuice and you can find all the necessary stuff under /var/www/idpdiscovery. The most important part is discovery.html. It loads and fires the necessary scripts. The configuration is almost the same as when setting the popup. After you've created discojuice configuration object (djc), you just set it to be always visible (no wait for clicks) with djc.always. It also seems you have to set up acl for the return parameter. So only those who want to return to (see above) resources with hostname ufal-point.mff.cuni.cz or ufal-point-dev.ms.mff.cuni.cz will be allowed to do so.

A working example of discovery.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <title>Select Your Login Provider</title>  

    <link rel="shortcut icon" href="http://discojuice.bridge.uninett.no/simplesaml/module.php/discojuice/favicon.png" />

    <!-- JQuery hosted by Google -->
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js" type="text/javascript"></script>

    <script type="text/javascript" src="./discojuice-2.1.en.min.js"></script>
    <script type="text/javascript" src="./idpdiscovery-2.1.min.js"></script>
    <link rel="stylesheet" type="text/css" href="./discojuice.css" />

    <style type="text/css">
        body {
            text-align: cente
        }
        div.discojuice {
            text-align: lef
            position: relativ
            width: 600p
            margin-right: aut
            margin-left: aut
        }
    </style>

    <script type="text/javascript">

        $("document").ready(function() {
                var title = "LINDAT - Clarin\r
                var spentityid = "//urlParams.entityI
                var responseUrl = './discojuiceDiscoveryResponse.html\r
                var feeds = [
                var returnTo = "\r
                var djc = DiscoJuice.Hosted.getConfig(title,spentityid,responseUrl,feeds)
                var host = "https://" + window.location.hostnam
                var metadataFeed = host + "/xmlui/discojuice/feeds\r
                djc.metadata = [metadataFeed

                djc.inlinemetadata = [
                            {
                                "country":"_all_",
                                "entityID":"https://idp.clarin.eu",
                                "geo":{"lat":51.833298,"lon":5.866699},
                                "title":"Clarin.eu website account",
                                "weight":1000
                            },
                            {
                                'country':'CZ',
                                'entityID':'https://cas.cuni.cz/idp/shibboleth',
                                'geo':{'lat':'50.0705102','lon':'14.4198844'},
                                'title':'Univerzita Karlova v Praze',
                                'weight':-1000
                            },

                djc.always = tru
                djc.callback = IdPDiscovery.setup(djc,  ['ufal-point-dev.ms.mff.cuni.cz', 'ufal-point.mff.cuni.cz'])

                $("body").DiscoJuice(djc)
        })

    </script>

</head>
<body style="background: #ccc">
</body>
</html>

Set shibboleth

The important part in shibboleth2.xml

            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO discoveryProtocol="SAMLDS" discoveryURL="https://lindat.mff.cuni.cz/idpdiscovery/discovery.html" relayState="cookie">
              SAML2 SAML1
            </SSO>

see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO or https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator if more details/complex configuration is needed

Updated by Redmine Admin over 7 years ago · 2 revisions