patch -p1 < ldap_support.patch

Report This Post

No related posts.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

Report This Post

Related posts:

1. Testing your Primary School Google Apps Education Edition Configuration You can test your different Google Apps by accessing the...
2. Troubleshooting Google Apps and Shibboleth If you receive an “invalid email” error or invalid user...
3. Are Google planning to put Google Wave into Google Apps? Google Apps is becoming more and more popular in schools,...

]]> http://mclear.co.uk/2009/11/21/shibboleth-idp-configuration-for-multiple-organizations-google-apps/feed/ 7 http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/ http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/#comments Tue, 27 Oct 2009 20:55:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/

Shibboleth is a single sign on method used by UK schools.

Shibboleth allows you to log into multiple services without the need to enter your username and password.

Shibboleth WAYFLess URLS is a

knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

Example

Copy and paste the above and replace %20 with ?

Another example

What bit do I need to change to configure my service to Primary Logon?

https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie

&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk

&cache=perm&action=selection

&origin=https://idp.primarylogon.co.uk/idp/shibboleth

&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST

The bits in bold need changing.

Report This Post

Related posts:

1. Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Part 2. Shibboleth Config (6 hours) Edit shibboleth2.xml Replace all...
2. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Part 4. Testing (2 hours) Shibboleth can be started using...
3. Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Internet 2 give some “creative” documentation for this procedure so...

]]> http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/feed/ 0 http://mclear.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/ http://mclear.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/#comments Tue, 22 Sep 2009 18:10:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/ I’m currently in the process of doing a test of shibboleth integrated blogs. Shibboleth is a single sign on system currently adopted by Ja.net.

The idea is once I have this working then I will put it live on Primary Blogger.

I am hoping to have this up after the IDP and SP for School Email which is due in early October so probably somewhere around the mid November time depending on how cold it gets here and if I can stay alive without any money for central heating!!

Please buy School Email to keep me warm

Thanks!

Q. What does this mean to me as a user?

A. You will be able to login to Primary Blogger with your Schools username and password, it will basically save administration effort and make full class/school blogs far more easier to manage!

Report This Post

Related posts:

1. Primary Blogger – How to use your own domain So you want to move your current website to primary...
2. Shibboleth accounts from an MIS Today I’m happy to announce that the project I am...
3. Primary Blogger update Hi all, just FYI when we updated Primary Blogger to...

]]> http://mclear.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/feed/ 0 http://mclear.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/ http://mclear.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/#comments Sat, 19 Sep 2009 23:05:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/ Today I’m happy to announce that the project I am working on (Yet to be publicly announced) will allow schools (subscribed and unsubscribed to LA internet packages) to use an independant(Yet approved by Ja.Net) single sign on IDP that will automatically update accounts (cleanly) from the school MIS.

The package is extremely easy to install (2 clicks and type in an id, username and password) and you are done.

An official press release is due in a few weeks (once most of the development is done and beta testing has begun).

Shibboleth is a way that schools can type in their username and password once and access a range of services such as google apps, primary email and other great web services.

Click here for more information on Shibboleth

Report This Post

Related posts:

1. Shibboleth / SSO blogging @ Primary Blogger I’m currently in the process of doing a test of...
2. Shibboleth WAYFless URLs UKFederation Shibboleth is a single sign on method used by UK...
3. Installing shibboleth SP 2.3 on CentOS Press y 3 times. Done. Proceed to configuration.. Report This...

]]> http://mclear.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/feed/ 0