John McLear » single sign on http://mclear.co.uk My mission: To encourage effective use of ICT in Schools. My main focus is on ages 3-11. Fri, 10 Feb 2012 00:46:32 +0000 en hourly 1 http://primaryblogger.co.uk/?v=3.3.1 Etherpad with Active Directory (LDAP/AD) http://mclear.co.uk/2010/02/03/etherpad-with-active-directory-ldapad/ http://mclear.co.uk/2010/02/03/etherpad-with-active-directory-ldapad/#comments Wed, 03 Feb 2010 17:20:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2010/02/03/etherpad-with-active-directory-ldapad/ So you want to host your own Etherpad deployment and you want to tie it into your schools AD/LDAP/Active directory? Below are the basic instructions for how to accomplish this. Alternatively you can pay us to do it.
Get the patch
lynx https://gist.github.com/10061b4b213619816db5
Get the etherpad source (warning- may take some time- go make a cuppa tea)
hg clone https://etherpad.googlecode.com/hg/ etherpad
Go to the etherpad folder
cd etherpad
Extract the patch
tar -xvz –strip-components=1 -f ../gist10061b4b213619816db5-e60df95e16c09700b4cf07cd87b9732dd7b15ace.tar.gz
Apply the patch

patch -p1 < ldap_support.patch

Set your superdomain
nano trunk/etherpad/src/etherpad/globals.js
add yourdomain.whatever to the SUPERDOMAINS
Edit pro_accounts.js
nano trunk/etherpad/src/etherpad/pro/pro_accounts.js
Change directory
cd trunk/etherpad
Add the useLdapconf to the config
echo “etherpad.useLdapConfiguration = ./etc/json.config” >> etc/etherpad.localdev-default.properties
Edit json.config
nano etc/json.config
Paste in (you need the {}’s):

{
url” : “ldap://localhost:10389″,
“principal” : “uid=admin,ou=system”,
“password” : “secret”,
rootPath” : “ou=users,ou=system”,
userClass” : “person”,
nameAttribute” : “displayname“,
ldapSuffix” : “@ldap
}
Replacing the above with your settings.
Build your etherpad
bin/rebuildjar.sh
Test your etherpad
bin/run-local.sh
Browse to http://yourdomain.com:9000/ep/pro-account/sign-in
Type in your email address (of the user in ldap) and password
Fin! Credit to Elliot Kroo and Marcio Starke – discussed further in this google group.
Shibboleth integration coming mid 2010 (if anyone wants to fund this please get in touch!)

Related Posts

No related posts.

]]> http://mclear.co.uk/2010/02/03/etherpad-with-active-directory-ldapad/feed/ 2 Shibboleth IDP configuration for multiple organizations & Google apps http://mclear.co.uk/2009/11/21/shibboleth-idp-configuration-for-multiple-organizations-google-apps/ http://mclear.co.uk/2009/11/21/shibboleth-idp-configuration-for-multiple-organizations-google-apps/#comments Sat, 21 Nov 2009 03:03:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/11/21/shibboleth-idp-configuration-for-multiple-organizations-google-apps/ So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

  • Working IDP
  • Google Apps Educational Account
  • CNAME records set for docs.SchoolA.com and docs.SchoolB.com

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

Related Posts

  1. Testing your Primary School Google Apps Education Edition Configuration
  2. Troubleshooting Google Apps and Shibboleth
  3. Are Google planning to put Google Wave into Google Apps?
]]> http://mclear.co.uk/2009/11/21/shibboleth-idp-configuration-for-multiple-organizations-google-apps/feed/ 7 Shibboleth WAYFless URLs UKFederation http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/ http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/#comments Tue, 27 Oct 2009 20:55:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/
Shibboleth is a single sign on method used by UK schools.
Shibboleth allows you to log into multiple services without the need to enter your username and password.

Shibboleth WAYFLess URLS is a
knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

Example



Copy and paste the above and replace %20 with ?

Another example


What bit do I need to change to configure my service to Primary Logon?
https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie
&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
&cache=perm&action=selection
&origin=https://idp.primarylogon.co.uk/idp/shibboleth
&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST
The bits in bold need changing.

Related Posts

  1. Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  2. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  3. Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
]]> http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/feed/ 0 Shibboleth / SSO blogging @ Primary Blogger http://mclear.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/ http://mclear.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/#comments Tue, 22 Sep 2009 18:10:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/ I’m currently in the process of doing a test of shibboleth integrated blogs. Shibboleth is a single sign on system currently adopted by Ja.net.
The idea is once I have this working then I will put it live on Primary Blogger.
I am hoping to have this up after the IDP and SP for School Email which is due in early October so probably somewhere around the mid November time depending on how cold it gets here and if I can stay alive without any money for central heating!!
Please buy School Email to keep me warm :)
Thanks!
Q. What does this mean to me as a user?
A. You will be able to login to Primary Blogger with your Schools username and password, it will basically save administration effort and make full class/school blogs far more easier to manage!

Related Posts

  1. Primary Blogger – How to use your own domain
  2. Shibboleth accounts from an MIS
  3. Primary Blogger update
]]> http://mclear.co.uk/2009/09/22/shibboleth-sso-blogging-primary-blogger/feed/ 0 Shibboleth accounts from an MIS http://mclear.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/ http://mclear.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/#comments Sat, 19 Sep 2009 23:05:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/ Today I’m happy to announce that the project I am working on (Yet to be publicly announced) will allow schools (subscribed and unsubscribed to LA internet packages) to use an independant(Yet approved by Ja.Net) single sign on IDP that will automatically update accounts (cleanly) from the school MIS.
The package is extremely easy to install (2 clicks and type in an id, username and password) and you are done.
An official press release is due in a few weeks (once most of the development is done and beta testing has begun).
Shibboleth is a way that schools can type in their username and password once and access a range of services such as google apps, primary email and other great web services.

Related Posts

  1. Shibboleth / SSO blogging @ Primary Blogger
  2. Shibboleth WAYFless URLs UKFederation
  3. Installing shibboleth SP 2.3 on CentOS
]]> http://mclear.co.uk/2009/09/19/shibboleth-accounts-from-an-mis/feed/ 0