Archive for the ‘single sign on’ Category

  • Etherpad with Active Directory (LDAP/AD)

    Date: 2010.02.03 | Category: ad, etherpad, ldap, shibboleth, single sign on, sso | Response: 2

    So you want to host your own Etherpad deployment and you want to tie it into your schools AD/LDAP/Active directory? Below are the basic instructions for how to accomplish this. Alternatively you can pay us to do it.
    Get the patch
    lynx https://gist.github.com/10061b4b213619816db5
    Get the etherpad source (warning- may take some time- go make a cuppa tea)
    hg clone https://etherpad.googlecode.com/hg/ etherpad
    Go to the etherpad folder
    cd etherpad
    Extract the patch
    tar -xvz –strip-components=1 -f ../gist10061b4b213619816db5-e60df95e16c09700b4cf07cd87b9732dd7b15ace.tar.gz
    Apply the patch

    patch -p1 < ldap_support.patch

    Set your superdomain
    nano trunk/etherpad/src/etherpad/globals.js
    add yourdomain.whatever to the SUPERDOMAINS
    Edit pro_accounts.js
    nano trunk/etherpad/src/etherpad/pro/pro_accounts.js
    Change directory
    cd trunk/etherpad
    Add the useLdapconf to the config
    echo “etherpad.useLdapConfiguration = ./etc/json.config” >> etc/etherpad.localdev-default.properties
    Edit json.config
    nano etc/json.config
    Paste in (you need the {}’s):

    {
    url” : “ldap://localhost:10389″,
    “principal” : “uid=admin,ou=system”,
    “password” : “secret”,
    rootPath” : “ou=users,ou=system”,
    userClass” : “person”,
    nameAttribute” : “displayname“,
    ldapSuffix” : “@ldap
    }
    Replacing the above with your settings.
    Build your etherpad
    bin/rebuildjar.sh
    Test your etherpad
    bin/run-local.sh
    Browse to http://yourdomain.com:9000/ep/pro-account/sign-in
    Type in your email address (of the user in ldap) and password
    Fin! Credit to Elliot Kroo and Marcio Starke – discussed further in this google group.
    Shibboleth integration coming mid 2010 (if anyone wants to fund this please get in touch!)

  • Shibboleth IDP configuration for multiple organizations & Google apps

    Date: 2009.11.21 | Category: apps, google, idp, shibboleth, single sign on, sso | Response: 7

    So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.

    The documentation on googles site isn’t very clear so here are some step by step instructions.

    Before you even make a start, backup ALL of your IDP configuration files.

    PreReqs:

    • Working IDP
    • Google Apps Educational Account
    • CNAME records set for docs.SchoolA.com and docs.SchoolB.com

    Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

    Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

    It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

    Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

    1. Log into your google apps admin account at http://google.com/a/SchoolA.com

    2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

    You are done in Google Apps. Congrats.

    3. Ssh into your IDP

    4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

    5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

    <EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

    6. Copy google-metadata.xml to google-metadata2.xml

    7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

    <EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

    8. Edit /etc/shibboleth/relying-party.xml

    9. Smile

    10. Make me a cup of tea

    11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

    <RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

    12. Search for Google.com again – look for the MetadataProvider section

    13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

    <MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

    Congrats, you are done in relying-party.xml!

    14. Edit /etc/shibboleth/attribute-filter.xml

    15. Search for google.com

    16. Edit the value to read “google.com/a/schoola.com”

    17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

    It should read:

    <AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

    18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

  • Shibboleth WAYFless URLs UKFederation

    Date: 2009.10.27 | Category: shibboleth, single sign on, sso, ukfederation, wayfless | Response: 0

    Shibboleth is a single sign on method used by UK schools.
    Shibboleth allows you to log into multiple services without the need to enter your username and password.

    Shibboleth WAYFLess URLS is a
    knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

    Example



    Copy and paste the above and replace %20 with ?

    Another example

    What bit do I need to change to configure my service to Primary Logon?
    https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie
    &providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
    &cache=perm&action=selection
    &origin=https://idp.primarylogon.co.uk/idp/shibboleth
    &shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST
    The bits in bold need changing.

  • Shibboleth / SSO blogging @ Primary Blogger

    Date: 2009.09.22 | Category: Blog, Blogger, Blogging, due date, eta, Primary Blogger, school email, shibboleth, single sign on, sso | Response: 0

    I’m currently in the process of doing a test of shibboleth integrated blogs. Shibboleth is a single sign on system currently adopted by Ja.net.

    The idea is once I have this working then I will put it live on Primary Blogger.
    I am hoping to have this up after the IDP and SP for School Email which is due in early October so probably somewhere around the mid November time depending on how cold it gets here and if I can stay alive without any money for central heating!!
    Please buy School Email to keep me warm icon smile Shibboleth / SSO blogging @ Primary Blogger
    Thanks!
    Q. What does this mean to me as a user?
    A. You will be able to login to Primary Blogger with your Schools username and password, it will basically save administration effort and make full class/school blogs far more easier to manage!

  • Shibboleth accounts from an MIS

    Date: 2009.09.19 | Category: cmis, idp, mis, shibboleth, sims, single sign on, sso | Response: 0

    Today I’m happy to announce that the project I am working on (Yet to be publicly announced) will allow schools (subscribed and unsubscribed to LA internet packages) to use an independant(Yet approved by Ja.Net) single sign on IDP that will automatically update accounts (cleanly) from the school MIS.
    The package is extremely easy to install (2 clicks and type in an id, username and password) and you are done.
    An official press release is due in a few weeks (once most of the development is done and beta testing has begun).
    Shibboleth is a way that schools can type in their username and password once and access a range of services such as google apps, primary email and other great web services.