Portal:Shibboleth

From GPNWiki

Jump to: navigation, search


Federated Identity Management

Contents

Mission/Goals

Originally funded by EDUCAUSE as a subaward of the National Science Foundation's Middleware Initiative, this project was joined by eleven universities in the Great Plains Network Consortium to establish a Shibboleth testbed in the GPN region.


Project goals include

  • Develop a region-wide collaboration environment through the development of middleware services
  • Build a regional middleware infrastructure to share resources across the region
  • Strategic planning on a regional basis


More information about this phase of the project can be found at the GPN ETR web site.

Participants

The Shibboleth Project is open to all GPN member universities. Initial participants included

University of Arkansas: Amy Apon (PI), David Merrifield (co-PI & President of ARKnet)

Great Plains Network: Co-PI Dr. Greg Monaco, Director for Research, Great Plains Network and Kansas State University

University of Missouri: Gordon Springer (co-PI & GPN Executive Council Member)

University of Kansas: John Louis (co-PI & GPN Executive Council Member), Wes Hubert, Kathryn Huxtable

University of Oklahoma: Henry Neeman (co-PI), Dennis Aebersold

University of Nebraska – Lincoln: Dale Finkelson (co-PI), Byrav Ramamurthy (co-PI)

South Dakota State University: Delmar Johnson (co-PI & MIDnet Board Member)

North Dakota State University: Thomas Moberg (co-PI), John Grosen

Peter Kiewit Institute: Hamid Sharif (co-PI)

University of South Dakota: Joe Collette (co-PI)

Mailing List Subscription Information

How to join and receive notifications:

  1. address an email to majordomo@greatplains.net,
  2. put the words subscribe gp-shibboleth in the body of the email,
  3. send the email!


Publications

Assistance on Shibboleth

GPN members are encouraged to contact GPN Support to obtain assistance with Shibboleth installations.

To get a GPN shib Identity please contact GPN Support.

For Greg to add a new ldap ID:

  1. Download and install Apache Directory Studio.
  2. Start Studio
  3. if given a screen with a picture goto workbench.
  4. Select LDAP and new connection
    1. goldenrod.greatplains.net
    2. port 636
    3. use ssl encryption
    4. simple authentication
    5. bind: cn=Manager,dc=greatplains,dc=net
    6. goto people in list box, drop it down by clicking arrow to the left
    7. copy an entry and change details
    8. use putty to go to 129.130.119.2 at 4545 and log in.
    9. makepasswd --char 7
    10. use that as the password and hash method as SSHA

5/22/2008 -- dhancock restarted ldap and tomcat following a system reboot on 5/21.

How to Add Your Organization to GPN's Federation

This is a work in progress.

You will need GPN's public key. 

  -----BEGIN CERTIFICATE-----
  MIIDazCCAtSgAwIBAgICCLwwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
  MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
  F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
  bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
  LS0gMjAwMjA3MDFBMB4XDTA2MDYxNTIzMDgzOFoXDTEwMDcyNTIzMDgzOFowgagx
  CzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZLYW5zYXMxEjAQBgNVBAcTCU1hbmhhdHRh
  bjEdMBsGA1UEChMUR3JlYXQgUGxhaW5zIE5ldHdvcmsxDDAKBgNVBAsTA0dQTjEm
  MCQGA1UEAxMdY29sbGFib3JhdGlvbi5ncmVhdHBsYWlucy5uZXQxHzAdBgkqhkiG
  9w0BCQEWEGRlc2htdWtoQGtzdS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
  ggEKAoIBAQC/yN04CBFDCI0iGpaVcr6oOSeZD1yz7RJvJBgc5WY15JFczY/MRqDa
  RbM2yg+u1OImu+lM9XY9RSvYUIN0rwEHToji54WcEcCiaLKKmmR2Qb77IDxSCKjm
  C9lzjooUDoFYYHxf1NnqVfrW2J0Ty6mhD3oxhYZ8DG01uCXFu+EiPRAAfSll4Pxv
  dz3nw9PgwWwvYk6tKej/SLjf38o6VziEhytZ6hy3m5qTV3S9PWfQLOrFjyRl4Wl5
  ycXDC7tVmuadgC490OsR3E+tSg/iHHLpxlEp+7WUBF73fowqCcrdlvq8HWPZNAum
  dlj8LS6Abut0XcOmSr+bBrmF5H62G8gFAgMBAAGjHTAbMAwGA1UdEwEB/wQCMAAw
  CwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBACLG2LJdpZzBlNJUdgDiVQg6
  zTcfjwK8NuwZpNwQUQBUBvWaeFvo9qWvFHzpmYSwVjqJQ9bdGifmXi938GYkWSPV
  g1uRyvT6HHMatVsrwbmT9kbrTtOebGQYA9JGsmDZjCcG6etXuGs1cjj4zAW6UFVE
  LCvETZZMPVr/aUIL9Dr6
  -----END CERTIFICATE-----
  • The attribute eduPersonPrincipalName needs to be passed to GPN. This may be passed as "REMOTE_USER" on some systems. The EPPN is necessary for GPN organizations to use resources from other GPN organization, such as KU using an MU resource.

KU added this metadata in their IdP metadata XML file. 

       <EntityDescriptor entityID="https://collaboration.greatplains.net/shibboleth">
               <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
                       <KeyDescriptor use="signing">
                               <ds:KeyInfo>
                                       <ds:X509Data>
                                               <ds:X509Certificate>
  MIIDazCCAtSgAwIBAgICCLwwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
  MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
  F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
  bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
  LS0gMjAwMjA3MDFBMB4XDTA2MDYxNTIzMDgzOFoXDTEwMDcyNTIzMDgzOFowgagx
  CzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZLYW5zYXMxEjAQBgNVBAcTCU1hbmhhdHRh
  bjEdMBsGA1UEChMUR3JlYXQgUGxhaW5zIE5ldHdvcmsxDDAKBgNVBAsTA0dQTjEm
  MCQGA1UEAxMdY29sbGFib3JhdGlvbi5ncmVhdHBsYWlucy5uZXQxHzAdBgkqhkiG
  9w0BCQEWEGRlc2htdWtoQGtzdS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
  ggEKAoIBAQC/yN04CBFDCI0iGpaVcr6oOSeZD1yz7RJvJBgc5WY15JFczY/MRqDa
  RbM2yg+u1OImu+lM9XY9RSvYUIN0rwEHToji54WcEcCiaLKKmmR2Qb77IDxSCKjm
  C9lzjooUDoFYYHxf1NnqVfrW2J0Ty6mhD3oxhYZ8DG01uCXFu+EiPRAAfSll4Pxv
  dz3nw9PgwWwvYk6tKej/SLjf38o6VziEhytZ6hy3m5qTV3S9PWfQLOrFjyRl4Wl5
  ycXDC7tVmuadgC490OsR3E+tSg/iHHLpxlEp+7WUBF73fowqCcrdlvq8HWPZNAum
  dlj8LS6Abut0XcOmSr+bBrmF5H62G8gFAgMBAAGjHTAbMAwGA1UdEwEB/wQCMAAw
  CwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBACLG2LJdpZzBlNJUdgDiVQg6
  zTcfjwK8NuwZpNwQUQBUBvWaeFvo9qWvFHzpmYSwVjqJQ9bdGifmXi938GYkWSPV
  g1uRyvT6HHMatVsrwbmT9kbrTtOebGQYA9JGsmDZjCcG6etXuGs1cjj4zAW6UFVE
  LCvETZZMPVr/aUIL9Dr6
                                               </ds:X509Certificate>
                                       </ds:X509Data>
                               </ds:KeyInfo>
                       </KeyDescriptor>
                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
                       <AssertionConsumerService index="1" isDefault="true"
                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
                               Location="http://collaboration.greatplains.net/Shibboleth.sso/SAML/POST" />
                       <AssertionConsumerService index="2"
                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
                               Location="http://collaboration.greatplains.net/Shibboleth.sso/SAML/Artifact" />
               </SPSSODescriptor>
               <Organization>
                       <OrganizationName xml:lang="en">Great Plains Network</OrganizationName>
                       <OrganizationDisplayName xml:lang="en">Great Plains Network</OrganizationDisplayName>
                       <OrganizationURL xml:lang="en">http://www.greatplains.net/</OrganizationURL>
               </Organization>
               <ContactPerson contactType="administrative">
                       <SurName>GPN</SurName>
                       <EmailAddress>support@greatplains.net</EmailAddress>
               </ContactPerson>
               <ContactPerson contactType="technical">
                       <SurName>Technical Support</SurName>
                       <EmailAddress>support@greatplains.net</EmailAddress>
               </ContactPerson>
       </EntityDescriptor>

Related Links

New Wiki Account

GPN Member Web Site

Great Plains Network Home Page

Retrieved from "http://collaboration.greatplains.net/wiki/index.php/Portal:Shibboleth"
Science News (RSS)