Project

General

Profile

Standalone discovery » History » Version 2

Redmine Admin, 01/10/2017 09:39 AM

1 1 Redmine Admin
h1. Standalone discovery (shibboleth)
2
3
We need to use a standalone idp discovery in our setup. If you don't have any specific requirements (like edugain in our case) you can use the one provided by clarin (http://clarin.eu/content/clarin-discovery-service).
4
5
h2. Deploy and setup idpdiscovery.js
6
7 2 Redmine Admin
When you are accessing a protected resource a session must be started. What happens (when accessing a protected resource) is configured in shibboleth2.xml under SessionInitiator. In our case you are shown a page that lets you select an IDP. This page can be provided by various entities (eg. eduid.cz, clarin.eu, dfn...), but in order to list all IDPs that are allowed in our configuration, we have to provide our own.
8
9
One other parameter that is passed around (except for the selected IDP) is the url of the protected resource. That's where you want to *return* to with started session.
10
11
The idp discovery page is done once again using Discojuice and you can find all the necessary stuff under /var/www/idpdiscovery. The most important part is discovery.html. It loads and fires the necessary scripts. The configuration is almost the same as when setting the popup. After you've created discojuice configuration object (djc), you just set it to be always visible (no wait for clicks) with djc.always. It also seems you have to set up acl for the return parameter. So only those who want to return to (see above) resources with hostname ufal-point.mff.cuni.cz or ufal-point-dev.ms.mff.cuni.cz will be allowed to do so.
12
13
14
A working example of discovery.html:
15
<pre>
16
<!DOCTYPE html>
17
<html lang="en">
18
<head>
19
    <meta charset="utf-8" />
20
    <title>Select Your Login Provider</title>  
21
22
    <link rel="shortcut icon" href="http://discojuice.bridge.uninett.no/simplesaml/module.php/discojuice/favicon.png" />
23
24
    <!-- JQuery hosted by Google -->
25
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js" type="text/javascript"></script>
26
27
    <script type="text/javascript" src="./discojuice-2.1.en.min.js"></script>
28
    <script type="text/javascript" src="./idpdiscovery-2.1.min.js"></script>
29
    <link rel="stylesheet" type="text/css" href="./discojuice.css" />
30
31
    <style type="text/css">
32
        body {
33
            text-align: cente
34
        }
35
        div.discojuice {
36
            text-align: lef
37
            position: relativ
38
            width: 600p
39
            margin-right: aut
40
            margin-left: aut
41
        }
42
    </style>
43
44
    <script type="text/javascript">
45
46
        $("document").ready(function() {
47
                var title = "LINDAT - Clarin\r
48
                var spentityid = "//urlParams.entityI
49
                var responseUrl = './discojuiceDiscoveryResponse.html\r
50
                var feeds = [
51
                var returnTo = "\r
52
                var djc = DiscoJuice.Hosted.getConfig(title,spentityid,responseUrl,feeds)
53
                var host = "https://" + window.location.hostnam
54
                var metadataFeed = host + "/xmlui/discojuice/feeds\r
55
                djc.metadata = [metadataFeed
56
57
                djc.inlinemetadata = [
58
                            {
59
                                "country":"_all_",
60
                                "entityID":"https://idp.clarin.eu",
61
                                "geo":{"lat":51.833298,"lon":5.866699},
62
                                "title":"Clarin.eu website account",
63
                                "weight":1000
64
                            },
65
                            {
66
                                'country':'CZ',
67
                                'entityID':'https://cas.cuni.cz/idp/shibboleth',
68
                                'geo':{'lat':'50.0705102','lon':'14.4198844'},
69
                                'title':'Univerzita Karlova v Praze',
70
                                'weight':-1000
71
                            },
72
                
73
74
                djc.always = tru
75
                djc.callback = IdPDiscovery.setup(djc,  ['ufal-point-dev.ms.mff.cuni.cz', 'ufal-point.mff.cuni.cz'])
76
77
                $("body").DiscoJuice(djc)
78
        })
79
80
81
    </script>
82
83
</head>
84
<body style="background: #ccc">
85
</body>
86
</html>
87
88
</pre>
89 1 Redmine Admin
90
h2. Set shibboleth
91
92
The important part in shibboleth2.xml
93
94
<pre>
95
            <!--
96
            Configures SSO for a default IdP. To allow for >1 IdP, remove
97
            entityID property and adjust discoveryURL to point to discovery service.
98
            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
99
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
100
            -->
101
            <SSO discoveryProtocol="SAMLDS" discoveryURL="https://lindat.mff.cuni.cz/idpdiscovery/discovery.html" relayState="cookie">
102
              SAML2 SAML1
103
            </SSO>
104
105
</pre>
106
107
see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO or https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator if more details/complex configuration is needed