Category: sso

Etherpad with Active Directory (LDAP/AD)

Posted on by primaryt
So you want to host your own Etherpad deployment and you want to tie it into your schools AD/LDAP/Active directory? Below are the basic instructions for how to accomplish this. Alternatively you can pay us to do it.
Get the patch
lynx https://gist.github.com/10061b4b213619816db5
Get the etherpad source (warning- may take some time- go make a cuppa tea)
hg clone https://etherpad.googlecode.com/hg/ etherpad
Go to the etherpad folder
cd etherpad
Extract the patch
tar –xvz –strip-components=1 -f ../gist10061b4b213619816db5-e60df95e16c09700b4cf07cd87b9732dd7b15ace.tar.gz
Apply the patch

patch -p1 < ldap_support.patch

Set your superdomain
nano trunk/etherpad/src/etherpad/globals.js
add yourdomain.whatever to the SUPERDOMAINS
Edit pro_accounts.js
nano trunk/etherpad/src/etherpad/pro/pro_accounts.js
Change directory
cd trunk/etherpad
Add the useLdapconf to the config
echo “etherpad.useLdapConfiguration = ./etc/json.config” >> etc/etherpad.localdev-default.properties
Edit json.config
nano etc/json.config
Paste in (you need the {}’s):

{
url” : “ldap://localhost:10389”,
“principal” : “uid=admin,ou=system”,
“password” : “secret”,
rootPath” : “ou=users,ou=system”,
userClass” : “person”,
nameAttribute” : “displayname“,
ldapSuffix” : “@ldap
}
Replacing the above with your settings.
Build your etherpad
bin/rebuildjar.sh
Test your etherpad
bin/run-local.sh
Browse to http://yourdomain.com:9000/ep/pro-account/sign-in
Type in your email address (of the user in ldap) and password
Fin! Credit to Elliot Kroo and Marcio Starke – discussed further in this google group.
Shibboleth integration coming mid 2010 (if anyone wants to fund this please get in touch!)

Shibboleth IDP configuration for multiple organizations & Google apps

Posted on by primaryt

So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

  • Working IDP
  • Google Apps Educational Account
  • CNAME records set for docs.SchoolA.com and docs.SchoolB.com

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

Shibboleth WAYFless URLs UKFederation

Posted on by primaryt

Shibboleth is a single sign on method used by UK schools.
Shibboleth allows you to log into multiple services without the need to enter your username and password.

Shibboleth WAYFLess URLS is a
knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

Example



Copy and paste the above and replace %20 with ?

Another example

What bit do I need to change to configure my service to Primary Logon?
https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie
&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
&cache=perm&action=selection
&origin=https://idp.primarylogon.co.uk/idp/shibboleth
&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST
The bits in bold need changing.