Archive for the ‘shibboleth’ Category
-
What is a Learning Platform – 3 simple video explanations
-
One social web could make school social networking a reality
Ever wished you could have a school social network that has the the privacy settings to protect pupils yet the power to connect pupils and teachers globally?
One Social Web may make this a reality. The purpose of One Social Web is to enable free, open, and decentralized social applications on the web. *Like Facebook but not owned by Facebook, owned by, well um, everyone!
Usually your school data exists only on your school server. If your school server was integrated with One Social Web school pupils or teachers could easily be “transfered” to another school without losing any information, files etc. and/or be able to access their old school work whilst being access to connect their new file storage.
The One Social Web platform is based in London, UK and has developers all around the world. The platform is completely open so anyone can contribute and privacy settings are managed on a per user basis.
It would be interesting to see the first school deployment of this, I certainly hope I will get the opportunity to tie Primary School Teaching into the platform! It would also be interesting to debate how One Social Web can work with Shibboleth providing not only single level accessibility but accessibility at an organizational level.
Related articles by Zemanta
- Open Facebook Alternatives Gain Momentum and $115K (wired.com)
- Forget Google Buzz — Promote OneSocialWeb (ibeentoubuntu.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=18bb8908-3d54-47ef-ba3e-943adfca4e80)
-
Etherpad with Shibboleth Authentication (Technical document)
I want to login to Etherpad with my UK federation/Shibboleth login.Firstly I need to get my SP working.
Configure SP & Apache initially..
I need toconfigure Tomcat to use Shibboleth for Authenticationconfigure Jetty to use Shibboleth Authentication.
Once this is done I will have the users attributes as environment variables.Now I have the variables I need to create a script to check the variables and create an account if required. All sounds pretty simple right? Let’s hope so, as I make progress I will document my changes.
I’m referring to the LDAP plugin patch code for how to handle “talking to etherpad”.
ETA is 3/4 weeks. Sucks that I need to use Apache but oh well!!
Note: Etherpad runs on Jetty, not Tomcat and doesn’t require Apache. It is the shibboleth element of this that requires Apache to operate.
Note: Thanks to nuba for reminding me about Jetty.
-
Etherpad with Active Directory (LDAP/AD)
So you want to host your own Etherpad deployment and you want to tie it into your schools AD/LDAP/Active directory? Below are the basic instructions for how to accomplish this. Alternatively you can pay us to do it.Get the patchlynx https://gist.github.com/10061b4b213619816db5Get the etherpad source (warning- may take some time- go make a cuppa tea)hg clone https://etherpad.googlecode.com/hg/ etherpadGo to the etherpad foldercd etherpadExtract the patchtar -xvz –strip-components=1 -f ../gist10061b4b213619816db5-e60df95e16c09700b4cf07cd87b9732dd7b15ace.tar.gzApply the patchpatch -p1 < ldap_support.patch
Set your superdomainnano trunk/etherpad/src/etherpad/globals.jsadd yourdomain.whatever to the SUPERDOMAINSEdit pro_accounts.jsnano trunk/etherpad/src/etherpad/pro/pro_accounts.jsChange directorycd trunk/etherpadAdd the useLdapconf to the configecho “etherpad.useLdapConfiguration = ./etc/json.config” >> etc/etherpad.localdev-default.propertiesEdit json.confignano etc/json.configPaste in (you need the {}’s):{“url” : “ldap://localhost:10389″,“principal” : “uid=admin,ou=system”,“password” : “secret”,“rootPath” : “ou=users,ou=system”,“userClass” : “person”,“nameAttribute” : “displayname“,“ldapSuffix” : “@ldap”}Replacing the above with your settings.Build your etherpadbin/rebuildjar.shTest your etherpadbin/run-local.shBrowse to http://yourdomain.com:9000/ep/pro-account/sign-inType in your email address (of the user in ldap) and passwordShibboleth integration coming mid 2010 (if anyone wants to fund this please get in touch!) -
Shibboleth IDP configuration for multiple organizations & Google apps
So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.
The documentation on googles site isn’t very clear so here are some step by step instructions.Before you even make a start, backup ALL of your IDP configuration files.PreReqs:- Working IDP
- Google Apps Educational Account
- CNAME records set for docs.SchoolA.com and docs.SchoolB.com
Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.1. Log into your google apps admin account at http://google.com/a/SchoolA.com2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuerYou are done in Google Apps. Congrats.3. Ssh into your IDP4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read<EntityDescriptor entityID=”google.com/a/schoola.com” xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”><SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><AssertionConsumerService index=”1″ Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”Location=”https://www.google.com/a/schoola.com/acs” /></SPSSODescriptor></EntityDescriptor>6. Copy google-metadata.xml to google-metadata2.xml7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read<EntityDescriptor entityID=”google.com/a/schoolb.com” xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”><SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><AssertionConsumerService index=”1″ Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”Location=”https://www.google.com/a/schoolb.com/acs” /></SPSSODescriptor></EntityDescriptor>8. Edit /etc/shibboleth/relying-party.xml9. Smile10. Make me a cup of tea11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…<RelyingParty id=”google.com/a/schoola.com”provider=”https://idp.youridp.com/idp/shibboleth”defaultSigningCredentialRef=”IdPCredential”><ProfileConfiguration xsi:type=”saml:SAML2SSOProfile” encryptAssertions=”never” encryptNameIds=”never” /></RelyingParty><RelyingParty id=”google.com/a/schoolb.com”provider=”https://idp.youridp.com/idp/shibboleth”defaultSigningCredentialRef=”IdPCredential”><ProfileConfiguration xsi:type=”saml:SAML2SSOProfile” encryptAssertions=”never” encryptNameIds=”never” /></RelyingParty>12. Search for Google.com again – look for the MetadataProvider section13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:<MetadataProvider id=”GoogleMD” xsi:type=”FilesystemMetadataProvider” xmlns=”urn:mace:shibboleth:2.0:metadata”metadataFile=”/opt/shibboleth-idp/metadata/google-metadata.xml” maintainExpiredMetadata=”true” /><MetadataProvider id=”GoogleMD2″ xsi:type=”FilesystemMetadataProvider” xmlns=”urn:mace:shibboleth:2.0:metadata”metadataFile=”/opt/shibboleth-idp/metadata/google-metadata2.xml” maintainExpiredMetadata=”true” />Congrats, you are done in relying-party.xml!14. Edit /etc/shibboleth/attribute-filter.xml15. Search for google.com16. Edit the value to read “google.com/a/schoola.com”17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.It should read:<AttributeFilterPolicy><PolicyRequirementRule xsi:type=”basic:AttributeRequesterString” value=”google.com/a/schoola.com” /><AttributeRule attributeID=”principal”><PermitValueRule xsi:type=”basic:ANY” /></AttributeRule></AttributeFilterPolicy><AttributeFilterPolicy><PolicyRequirementRule xsi:type=”basic:AttributeRequesterString” value=”google.com/a/schoolb.com” /><AttributeRule attributeID=”principal”><PermitValueRule xsi:type=”basic:ANY” /></AttributeRule></AttributeFilterPolicy>18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.
Latest chatter
- Node.js: JavaScript on the Server: Node.js: JavaScript on the Server Google Tech Talk July 28, 2010 ABSTRACT ... http://bit.ly/9qiXAz 19 hrs ago
- The Mice on Safe Search are from Transformice 1 week ago
- @SocialJitney do you work on open source projects? in reply to SocialJitney 1 week ago
- More updates...
Posting tweet...
Sponsored by
- Wild Earth: Bringing the Savannah to the classroom July 30, 2010 primarypete
- When did that happen July 30, 2010 webmaster
- 8-years in the making… July 30, 2010 chrisrat
- My #GTAUK ‘WOW’ moment! July 30, 2010 Mr Mitchell
- #gtauk – a quick reflection July 30, 2010 Ian Addison
