Standalone discovery » History » Version 2
Redmine Admin, 01/10/2017 09:39 AM
| 1 | 1 | Redmine Admin | h1. Standalone discovery (shibboleth) |
|---|---|---|---|
| 2 | |||
| 3 | We need to use a standalone idp discovery in our setup. If you don't have any specific requirements (like edugain in our case) you can use the one provided by clarin (http://clarin.eu/content/clarin-discovery-service). |
||
| 4 | |||
| 5 | h2. Deploy and setup idpdiscovery.js |
||
| 6 | |||
| 7 | 2 | Redmine Admin | When you are accessing a protected resource a session must be started. What happens (when accessing a protected resource) is configured in shibboleth2.xml under SessionInitiator. In our case you are shown a page that lets you select an IDP. This page can be provided by various entities (eg. eduid.cz, clarin.eu, dfn...), but in order to list all IDPs that are allowed in our configuration, we have to provide our own. |
| 8 | |||
| 9 | One other parameter that is passed around (except for the selected IDP) is the url of the protected resource. That's where you want to *return* to with started session. |
||
| 10 | |||
| 11 | The idp discovery page is done once again using Discojuice and you can find all the necessary stuff under /var/www/idpdiscovery. The most important part is discovery.html. It loads and fires the necessary scripts. The configuration is almost the same as when setting the popup. After you've created discojuice configuration object (djc), you just set it to be always visible (no wait for clicks) with djc.always. It also seems you have to set up acl for the return parameter. So only those who want to return to (see above) resources with hostname ufal-point.mff.cuni.cz or ufal-point-dev.ms.mff.cuni.cz will be allowed to do so. |
||
| 12 | |||
| 13 | |||
| 14 | A working example of discovery.html: |
||
| 15 | <pre> |
||
| 16 | <!DOCTYPE html> |
||
| 17 | <html lang="en"> |
||
| 18 | <head> |
||
| 19 | <meta charset="utf-8" /> |
||
| 20 | <title>Select Your Login Provider</title> |
||
| 21 | |||
| 22 | <link rel="shortcut icon" href="http://discojuice.bridge.uninett.no/simplesaml/module.php/discojuice/favicon.png" /> |
||
| 23 | |||
| 24 | <!-- JQuery hosted by Google --> |
||
| 25 | <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js" type="text/javascript"></script> |
||
| 26 | |||
| 27 | <script type="text/javascript" src="./discojuice-2.1.en.min.js"></script> |
||
| 28 | <script type="text/javascript" src="./idpdiscovery-2.1.min.js"></script> |
||
| 29 | <link rel="stylesheet" type="text/css" href="./discojuice.css" /> |
||
| 30 | |||
| 31 | <style type="text/css"> |
||
| 32 | body { |
||
| 33 | text-align: cente |
||
| 34 | } |
||
| 35 | div.discojuice { |
||
| 36 | text-align: lef |
||
| 37 | position: relativ |
||
| 38 | width: 600p |
||
| 39 | margin-right: aut |
||
| 40 | margin-left: aut |
||
| 41 | } |
||
| 42 | </style> |
||
| 43 | |||
| 44 | <script type="text/javascript"> |
||
| 45 | |||
| 46 | $("document").ready(function() { |
||
| 47 | var title = "LINDAT - Clarin\r |
||
| 48 | var spentityid = "//urlParams.entityI |
||
| 49 | var responseUrl = './discojuiceDiscoveryResponse.html\r |
||
| 50 | var feeds = [ |
||
| 51 | var returnTo = "\r |
||
| 52 | var djc = DiscoJuice.Hosted.getConfig(title,spentityid,responseUrl,feeds) |
||
| 53 | var host = "https://" + window.location.hostnam |
||
| 54 | var metadataFeed = host + "/xmlui/discojuice/feeds\r |
||
| 55 | djc.metadata = [metadataFeed |
||
| 56 | |||
| 57 | djc.inlinemetadata = [ |
||
| 58 | { |
||
| 59 | "country":"_all_", |
||
| 60 | "entityID":"https://idp.clarin.eu", |
||
| 61 | "geo":{"lat":51.833298,"lon":5.866699}, |
||
| 62 | "title":"Clarin.eu website account", |
||
| 63 | "weight":1000 |
||
| 64 | }, |
||
| 65 | { |
||
| 66 | 'country':'CZ', |
||
| 67 | 'entityID':'https://cas.cuni.cz/idp/shibboleth', |
||
| 68 | 'geo':{'lat':'50.0705102','lon':'14.4198844'}, |
||
| 69 | 'title':'Univerzita Karlova v Praze', |
||
| 70 | 'weight':-1000 |
||
| 71 | }, |
||
| 72 | |||
| 73 | |||
| 74 | djc.always = tru |
||
| 75 | djc.callback = IdPDiscovery.setup(djc, ['ufal-point-dev.ms.mff.cuni.cz', 'ufal-point.mff.cuni.cz']) |
||
| 76 | |||
| 77 | $("body").DiscoJuice(djc) |
||
| 78 | }) |
||
| 79 | |||
| 80 | |||
| 81 | </script> |
||
| 82 | |||
| 83 | </head> |
||
| 84 | <body style="background: #ccc"> |
||
| 85 | </body> |
||
| 86 | </html> |
||
| 87 | |||
| 88 | </pre> |
||
| 89 | 1 | Redmine Admin | |
| 90 | h2. Set shibboleth |
||
| 91 | |||
| 92 | The important part in shibboleth2.xml |
||
| 93 | |||
| 94 | <pre> |
||
| 95 | <!-- |
||
| 96 | Configures SSO for a default IdP. To allow for >1 IdP, remove |
||
| 97 | entityID property and adjust discoveryURL to point to discovery service. |
||
| 98 | (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.) |
||
| 99 | You can also override entityID on /Login query string, or in RequestMap/htaccess. |
||
| 100 | --> |
||
| 101 | <SSO discoveryProtocol="SAMLDS" discoveryURL="https://lindat.mff.cuni.cz/idpdiscovery/discovery.html" relayState="cookie"> |
||
| 102 | SAML2 SAML1 |
||
| 103 | </SSO> |
||
| 104 | |||
| 105 | </pre> |
||
| 106 | |||
| 107 | see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO or https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator if more details/complex configuration is needed |