The dvn-auth mailing list has been fun but we're retiring it for a
number of reasons.
First, this list is quite low traffic. So is the main
dataverse-community Google Group. We've decided to ask everyone here
to join the Google Group instead:
https://groups.google.com/forum/#!forum/dataverse-community
All things auth are on topic for the Google Group. There's really no
need to split up the community. People seem to agree:
http://irclog.iq.harvard.edu/dataverse/2015-07-16#i_21793
Second, this list was created back when Redmine was used for ticket
tracking and there was no way for people outside IQSS to comment on
issues. This has all changed with the move to GitHub issues so there
are more ways to reach out. Comment away on those auth tickets! A
number of Google docs related to auth allow public comments as well.
Third, recently some subscribers to this lists have received many
strange "unsubscribe me" and "reset my password" emails as chronicled
at https://lists.iq.harvard.edu/pipermail/dvn-auth/2015-July/000031.html
. Nobody needs this, especially for a low-traffic list. We'll just
shut it down. Long live the Google Group.
(Long live http://chat.dataverse.org as well, the preferred
communication channel of the coordinators of the Dataverse Auth
Community Group:
http://community.dataverse.org/community-groups/auth.html :)
Finally, the list has "dvn" in the name but it's now a legacy term. We
call the software "Dataverse". :)
We'll keep the archives of this list around but I'll unsubscribe
everyone after sending this message. Thank you for everyone's
participation!
Please do consider joining the Google Group. And please don't be shy
about asking questions about auth or discussing auth there. If we
overwhelm the group, we can always split off into a separate list
again someday! :)
Phil
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
Dear all,
Last night (CEST) dvn-auth list subscribers (may) have received "confirm unsubscribe" and/or "mailing list reminder" messages. Chances are you did not want to unsubscribe, so you can ignore the messages.
Phil and I are investigating what happened (although we have to rely on the list system administrators) and if this should/could be prevented in the future.
Ben
Hi all,
We've taken off! The Authentication and Authorization Community Group, that is.
At the first Dataverse Community Meeting, a break-out session on Auth was well attended and already resulted in interesting ideas for possible directions for Dataverse development.
The report of the meeting is a Google Doc: https://docs.google.com/document/d/17TI2RLqdntd5vnrygDrFgYNNmqb_eoTdSFita-L…
Phil and I updated the CG's page on Dataverse.org yesterday. The page has pretty minimal information, as the more dynamic group information can be found in and linked from the (main) Dataverse Authentication and Authorization Community Group Google Doc: https://docs.google.com/document/d/1xbWkj_OIk13gKe7jleNXVvakZErvHLA8JRBvLz8…
You're invited to read and contribute by commenting or requesting edit access to this document or linked documents.
The Dataverse.org website is being migrated to a different platform. We, the group, may decide to migrate our documents too.
It was great to meet so many people interested in Dataverse and authentication/authorization at the Community Meeting and hope to keep in touch online and offline.
Regards,
Phil and Ben
Hello!
Question for all you Shibboleth experts out there... If I'd like to
take one of the attributes and store in in Dataverse as a persistent
identifier? Which one should I use?
>From playing around with the IdP at http://testshib.org I assumed
"persistent-id" would be the one to use. It looks nice and unique:
persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
However! I'm hearing that "persistent-id" may not be so commonly
used... that perhaps in Higher Ed anyway "eppn" might be used instead.
The weird thing to me about "eppn", however is that (at least from
TestShib) there's a username in it:
eppn: myself(a)testshib.org
Furthermore, eppn is allowed to change (!) according to
https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-…
"Values of eduPersonPrincipalName are often, but not required to be,
human-friendly, and may change as a result of various business
processes. They may also be reassigned after a locally-defined period
of dormancy. Applications that require a guarantee of non-reassignment
and more stability, but can tolerate values unfriendly (and unknown)
to humans should refer to the eduPersonTargetedID attribute."
So... maybe we should require eduPersonTargetedID (also known as
ePTID) instead...
But then I checked in with a non-Higher Ed person, and he uses
Assertion -> Subject -> NameID. It looks like this:
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID>
It's got "persistent" in it, which I like. :)
>From what I can tell from docs above "[ePTID] is an abstracted version
of [NameID]" anyway, so maybe I should just require NameID so
non-Higher Ed people aren't confused.
Of course, I may just be confusing myself... I hope it's clear what
I'm asking... What we need on the Dataverse side is to but something
in the "FIXME" below:
permanentId = httpServletRequest.getAttribute("FIXME");
Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise.
We'll be using this value to find the Shib users in the system each
time they log in.
Thanks!
Phil
p.s. Chats I just had (summarized above):
http://irclog.perlgeek.de/shibboleth/2014-07-29
Time Nick Message
19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything?
19:59 hsnopi not taht I am specifically aware of. I think it is used
to give a user a permenant id but i could be very very wrong
19:59 pdurbin that's how I was thinking I'd use it
19:59 pdurbin but I'm also hearing that eppn is preferred, maybe?
20:00 pdurbin the IdP at http://testshib.org sends both
20:00 hsnopi that is so far out of my league
20:00 pdurbin eppn: myself(a)testshib.org
20:00 pdurbin persistent-id:
https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
20:01 pdurbin persistent-id seemed "safer" to use... more unique...
20:01 hsnopi i seem to vaguely recall something about eppn going away
at soem point.
20:01 pdurbin hmm
http://www.evanchooly.com/logs/%2523glassfish/2014-07-29
pdurbin whartung: persistent-id or eppn?
whartung pdurbin: eh?
pdurbin heh
pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29
whartung frankly, I don't recognize either of those :)
pdurbin whartung: what attribute do you use to uniquely identify a
user who has logged in via shibboleth?
whartung Subject->NAmeID
pdurbin huh
pdurbin I'm not used to seeing "->" in an attribute
whartung Assertion -> Subject -> NameID
pdurbin oh oh
whartung no, it's the heirarchy
pdurbin whartung: you're giving me the xpath ;)
whartung yea
pdurbin cool. thanks
pdurbin NameID. hmm
pdurbin commonly used?
whartung Apparently
pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName
https://www.incommon.org/federation/attributesummary.html
whartung ok
whartung yea, we're not in that domain
whartung generic Response of ours:
http://pastie.org/private/oay0trwmvrw9e0haekqmlw
pdurbin ok so <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID>
pdurbin interesting
whartung right
pdurbin so I'm seeing "persistent" there and under "longevity" at
https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
pdurbin "persistent: identifiers which are good for a long period of
time (e.g. years) but which the IdP may revoke"
whartung yea, perahps we should use "permanent" instead
pdurbin right
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
Hi all,
You may have seen the general information about the formation of
Community Groups for Dataverse at [1].
"(...) Community Groups will be formed during the /First Annual
Dataverse Community Meeting (June 9-11)/
<http://community.dataverse.org/community-meetings/2015/index.html#community…>
and will report back to the /Dataverse Advisory Team/
<http://community.dataverse.org/advisory-team.html#advisory-team>."
[1]: http://community.dataverse.org/community-groups/index.html
" The Dataverse Advisory team advises the Dataverse team at IQSS, which
includes PI Gary King, Project Lead Mercè Crosas and members of the Data
Science team at IQSS (http://datascience.iq.harvard.edu/team), on all
significant general areas involving the Dataverse software application,
with a focus on technical advice." [2]
[2]: http://community.dataverse.org/advisory-team.html#advisory-team
One Community Group you as a subscriber to this list may be interested
in, is Authentication and Authorization ("Auth") [3], which is
coordinated by Philip Durbin and me.
The group will discuss 'auth' functional and technical questions and
requirements, use cases, etc. and report to the Advisory Team who can
advise about these topics. For example, a major current topic is
Shibboleth support in Dataverse 4. DDN (me :)) is thinking about
assigning roles to specific dataverses to users based on SAML
attributes. We are, naturally, interested in other aspects or ways of
authenticating and authorizing too.
[3]: http://community.dataverse.org/community-groups/auth.html
On a meta level, the community groups are still / yet to be discussed.
We expect that to happen between now and the end of the First Community
Meeting in June. You don't need to wait for the meeting in June to join
the discussion about auth, of course :)
If you are interested in being part of the auth group, please let Phil
or me know via email and we'll make sure you get the details. Of course,
news about the auth group will be posted here and in #dataverse on
Freenode IRC as well.
Looking forward to talk to/chat with/see/.. you!
Phil and Ben
Ben Companjen
Information systems engineer / Information manager
ben.companjen(a)dans.knaw.nl
+31 6 1334 9717
Skype: bencompanjen
Data Archiving and Networked Services (DANS)
DANS promotes sustained access to digital research data. See
www.dans.knaw.nl for more information and contact details. DANS is an
institute of KNAW and NWO.
DANS | Anna van Saksenlaan 51 | 2593 HW The Hague | P.O. Box 93067 |
2509 AB The Hague | +31 70 349 44 50 | info(a)dans.knaw.nl | www.dans.knaw.nl
Hi Phil,
I've comment on your GitHub suggestions related to the identifer/identity attributes of eppn (eduPersonPrincipalName), ePTID (eduPersonTargetedID), and NameID.
I post it here for others.
Hi Phil, I think you are misunderstanding the purpose of the these identity-oriented attributes when you talk about "ordering." Either that or I'm mis-understanding your business case :-). Generally, identity and identifier attributes are used for account-finding and also authorization. And other attributes (like roles and groups) also factor into authorization. There's not really an "ordering" but rather a question of "purpose" for each attribute. An IdP is generally only going to send you one of the attributes you list for a given user. Its purpose is "account-finding" if applicable, and/or "identifier-based authorization."
Thx,
Marlena
617-872-9736
-----Original Message-----
From: "dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>" <dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>>
Reply-To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>>
Date: Thursday, February 5, 2015 at 12:00 PM
To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>>
Subject: dvn-auth Digest, Vol 8, Issue 1
Send dvn-auth mailing list submissions to
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
or, via email, send a message with subject or body 'help' to
dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>
You can reach the person managing the list at
dvn-auth-owner(a)lists.iq.harvard.edu<mailto:dvn-auth-owner@lists.iq.harvard.edu>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dvn-auth digest..."
Today's Topics:
1. Re: Shibboleth persistent identifier: persistent-id vs. eppn
vs. ePTID vs. NameID (Philip Durbin)
----------------------------------------------------------------------
Message: 1
Date: Thu, 5 Feb 2015 10:45:03 -0500
From: Philip Durbin <philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>>
To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>>
Subject: Re: [dvn-auth] Shibboleth persistent identifier:
persistent-id vs. eppn vs. ePTID vs. NameID
Message-ID:
<CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw(a)mail.gmail.com<mailto:CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw@mail.gmail.com>>
Content-Type: text/plain; charset=UTF-8
Happy New Year, dvn-auth list! :)
I just created a ticket about eppn vs. ePTID vs. NameID at
https://github.com/IQSS/dataverse/issues/1422
Comments there or here are certainly welcome!
Phil
On Wed, Jul 30, 2014 at 1:39 PM, Philip Durbin
<philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>> wrote:
Hi Leonhard!
Thanks for your reply! I'm very curious what your Shibboleth
federation hotline has to say.
Meanwhile, a little bird on this list pointed me to a "Cloud Services
Cookbook" recorded only a couple weeks ago that seems to have a ton of
related advice: http://www.incommon.org/iamonline/
I'll copy the DO and DON'T bullet points from the slides and in our
heads we can all translate "Vendor" to "Dataverse" and "Campus" to all
the IdP providers out there:
http://www.incommon.org/docs/iamonline/20140716_IAMOnline.pdf
Slide 11
Challenges: Network IDs and Email Addresses
CONSIDER the relationship between ePPN and mail.
Campus: DO socialize the use of organizational email addresses.
Campus: DO make eduPersonPrincipalName useful.
Vendor: DO be cautious about using mail as a unique identifier
Slide 12
Challenges: Scoped and Unscoped Identifiers
Campus: DO work with service providers to understand how data is being
interpreted.
Vendor: DON'T assume that a simple username is unique across domains
and subdomains.
Slide 19
Challenge: Usernames Change
?What's in a name? ...a rose by any other name would smell as sweet"
-?Act II, Scene II. Romeo and Juliet
Vendor: DO be prepared for username changes.
Campus: DO standardize internally on a stable "serial number" for users.
Campus: DO support a varied set of identifiers.
DON'T be afraid of eduPersonTargetedID.
The last slide links to
https://carmenwiki.osu.edu/display/CICIDM/Current+Working+Draft+of+Cloud+Se…
which seems to have similar advice but not in bullet form. :) Much
more detail, I mean.
So! My takeaway from all this is that I would very much like the IdPs
to send Dataverse a "stable 'serial number' for users". That's the
thing I want to store in the database on the Dataverse side. Can all
the IdPs out there send me this?
Phil
On Wed, Jul 30, 2014 at 3:00 AM, Leonhard Maylein
<Maylein(a)ub.uni-heidelberg.de<mailto:Maylein@ub.uni-heidelberg.de>> wrote:
Hi,
I'm not really a shibboleth expert. As far as I can see,
ePTID is used mainly in Shibboleth 1.x/SAML 1.x.
Shibboleth 2.x uses the persistentNameID (see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID)
Shibboleth 1.x is no longer supported (see
https://wiki.shibboleth.net/confluence/display/SHIB/WebHome).
From a data privacy point of view, eppn could be problematic.
PersistentNameIDs are pseudonyms.
But I'm not sure if every IdP supports the persitentNameID,
although there are a lot of service providers (especially publishers)
which use this ID for personalization).
Maybe you could make it configurable which attribute/id is used?
To be sure, I will forward your email to our shibboleth federation
hotline.
Leonhard Maylein
Am 29.07.2014 um 23:15 schrieb Philip Durbin:
Hello!
Question for all you Shibboleth experts out there... If I'd like to
take one of the attributes and store in in Dataverse as a persistent
identifier? Which one should I use?
From playing around with the IdP at http://testshib.org I assumed
"persistent-id" would be the one to use. It looks nice and unique:
persistent-id:
https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
However! I'm hearing that "persistent-id" may not be so commonly
used... that perhaps in Higher Ed anyway "eppn" might be used instead.
The weird thing to me about "eppn", however is that (at least from
TestShib) there's a username in it:
eppn: myself(a)testshib.org<mailto:myself@testshib.org>
Furthermore, eppn is allowed to change (!) according to
https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-…
"Values of eduPersonPrincipalName are often, but not required to be,
human-friendly, and may change as a result of various business
processes. They may also be reassigned after a locally-defined period
of dormancy. Applications that require a guarantee of non-reassignment
and more stability, but can tolerate values unfriendly (and unknown)
to humans should refer to the eduPersonTargetedID attribute."
So... maybe we should require eduPersonTargetedID (also known as
ePTID) instead...
But then I checked in with a non-Higher Ed person, and he uses
Assertion -> Subject -> NameID. It looks like this:
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID>
It's got "persistent" in it, which I like. :)
From what I can tell from docs above "[ePTID] is an abstracted version
of [NameID]" anyway, so maybe I should just require NameID so
non-Higher Ed people aren't confused.
Of course, I may just be confusing myself... I hope it's clear what
I'm asking... What we need on the Dataverse side is to but something
in the "FIXME" below:
permanentId = httpServletRequest.getAttribute("FIXME");
Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please
advise.
We'll be using this value to find the Shib users in the system each
time they log in.
Thanks!
Phil
p.s. Chats I just had (summarized above):
http://irclog.perlgeek.de/shibboleth/2014-07-29
Time Nick Message
19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything?
19:59 hsnopi not taht I am specifically aware of. I think it is used
to give a user a permenant id but i could be very very wrong
19:59 pdurbin that's how I was thinking I'd use it
19:59 pdurbin but I'm also hearing that eppn is preferred, maybe?
20:00 pdurbin the IdP at http://testshib.org sends both
20:00 hsnopi that is so far out of my league
20:00 pdurbin eppn: myself(a)testshib.org<mailto:myself@testshib.org>
20:00 pdurbin persistent-id:
https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb…
20:01 pdurbin persistent-id seemed "safer" to use... more unique...
20:01 hsnopi i seem to vaguely recall something about eppn going away
at soem point.
20:01 pdurbin hmm
http://www.evanchooly.com/logs/%2523glassfish/2014-07-29
pdurbin whartung: persistent-id or eppn?
whartung pdurbin: eh?
pdurbin heh
pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29
whartung frankly, I don't recognize either of those :)
pdurbin whartung: what attribute do you use to uniquely identify a
user who has logged in via shibboleth?
whartung Subject->NAmeID
pdurbin huh
pdurbin I'm not used to seeing "->" in an attribute
whartung Assertion -> Subject -> NameID
pdurbin oh oh
whartung no, it's the heirarchy
pdurbin whartung: you're giving me the xpath ;)
whartung yea
pdurbin cool. thanks
pdurbin NameID. hmm
pdurbin commonly used?
whartung Apparently
pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName
https://www.incommon.org/federation/attributesummary.html
whartung ok
whartung yea, we're not in that domain
whartung generic Response of ours:
http://pastie.org/private/oay0trwmvrw9e0haekqmlw
pdurbin ok so <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID>
pdurbin interesting
whartung right
pdurbin so I'm seeing "persistent" there and under "longevity" at
https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes
pdurbin "persistent: identifiers which are good for a long period of
time (e.g. years) but which the IdP may revoke"
whartung yea, perahps we should use "permanent" instead
pdurbin right
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
------------------------------
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
End of dvn-auth Digest, Vol 8, Issue 1
**************************************
I'm seeing a very strange (and scary!) bug now that we're running
fronting Glassfish with Apache at
https://dataverse-demo.iq.harvard.edu
I've described the bug to the Shibboleth mailing list (initial message
below) and there have been some follow up posts:
- http://shibboleth.net/pipermail/users/2014-October/017878.html
- http://shibboleth.net/pipermail/users/2014-October/017879.html
- http://shibboleth.net/pipermail/users/2014-October/017885.html
Obviously, we can't ship Shibboleth support with a bug like this. Long
time readers of this list know that initially I tried a pure Java
solution called OIOSAML but the current approach is to use mod_shib,
which requires fronting Glassfish with Apache.
If anyone has any ideas what the problem might be, please let me know!
Thanks!
Phil
---------- Forwarded message ----------
From: Philip Durbin <philip_durbin(a)harvard.edu>
Date: Wed, Oct 29, 2014 at 6:47 PM
Subject: User sessions mixed up when Java app deployed to Glassfish is
fronted with Apache httpd
To: Shib Users <users(a)shibboleth.net>
By following the Shibboleth wiki*, I'm now fronting my Java
application server (Glassfish) with Apache httpd so I can use mod_shib
and have Shibboleth attributes passed to my Java application.
It works (great!) but now that I've configured our beta site this way
I have a new, terrifying problem...
Users' sessions are getting mixed up!
This is just a demo/beta site but obviously this is a show stopper for
us moving forward with mod_shib in production. Even on the demo site
I'm tempted to pull Apache httpd out of our setup because I don't want
people are looking at the demo site to get scared by suddenly seeing
that they are logged in as someone else! We never see this problem
when we run only Glassfish. The scrambled user sessions has something
to do with introducing Apache httpd into the mix.
I sure hope there's a simple fix for this. Let me explain how I've set
things up.
In my Apache httpd config I have these lines:
# don't pass paths used by rApache and TwoRavens to Glassfish
ProxyPassMatch ^/RApacheInfo$ !
ProxyPassMatch ^/custom !
ProxyPassMatch ^/rookzelig !
# don't pass paths used by Shibboleth to Glassfish
ProxyPassMatch ^/Shibboleth.sso !
ProxyPassMatch ^/shibboleth-ds !
# pass everything else to Glassfish
ProxyPass / ajp://localhost:8009/
<Location /shib.xhtml>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
To enable AJP communication between Glassfish and Apache httpd I use
this command:
asadmin create-network-listener --protocol http-listener-1
--listenerport 8009 --jkenabled true jk-connector
I'm running on CentOS 6.5 and using httpd-2.2.15 which means I'm using
mod_proxy_ajp, as the wiki recommends (rather than mod_jk). I'm
running GlassFish Server Open Source Edition 4.0 (build 89).
Here's where we are tracking problem on our end:
https://github.com/IQSS/dataverse/issues/647
Any advice is welcome! Please tell me what I'm doing wrong! I'm happy
to point out relevant bits of the code and config, all of which is on
GitHub, but I think the key information is above.
Phil
* "In the setup described here, requests from browsers are intercepted
first by Apache httpd. The Shibboleth SP then checks these requests to
enforce authentication requirements. After an assertion is received
and a Shibboleth session is established, the SP or Apache httpd can
enforce access control rules, or it can just pass attributes to the
application. The request is then forwarded to the servlet through the
use of the AJP13 protocol. Subsequent requests can leverage the
Shibboleth session or a session maintained by the application or
servlet container to persist the login." under "Install Shibboleth to
protect Java Servlets" at
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
p.s. People reporting similar problems (and how tricky it is to
reproduce reliably):
- http://jeecookbook.blogspot.com/2013/07/modjk-session-mixed-between-users.h…
- http://stackoverflow.com/questions/14731806/session-mix-up-apache-httpd-wit…
- http://stackoverflow.com/questions/14845493/spring-security-jsf-hibernate-a…
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
--
Philip Durbin
Software Developer for http://dataverse.orghttp://www.iq.harvard.edu/people/philip-durbin
I'm looking for institutions with Shibboleth Identity Providers to test
interoperability to the code we pushed to
https://dataverse-demo.iq.harvard.edu last night per the announcement below.
Right now we only have the TestShib IdP but I'd love to have Odum/UNC,
DANS, Duke, etc. as options.
Can we exchange metadata?
Phil
---------- Forwarded message ----------
From: Eleni Castro <posixeleni(a)gmail.com>
Date: Thu, Oct 9, 2014 at 12:52 PM
Subject: [Dataverse-Users] Try out Single Sign-On With Shibboleth in 4.0
Beta
To: dataverse-community(a)googlegroups.com
Greetings Dataverse Community,
Dataverse 4.0 Beta <http://dataverse-demo.iq.harvard.edu/> now supports
single sign-on using Shibboleth <https://shibboleth.net/>, which allows
users to authenticate using the same login credentials that they use for
their institution or organization!
To test this out in Dataverse 4.0 Beta, select Log In on the top navigation
bar. Once on the Log In page under “Institution Log In”, click on “Please
select your institution…” dropdown option and select “TestShib Test IdP”
and click on the “Continue” button.
Next, you will be presented with a login page. As of this blog post, you
can only log in with three mock accounts (myself, superego, and alterego)
provided by the Identity Provider at http://testshib.org but we are very
interested in interoperability testing as many Identity Providers as
possible!
If the login is successful, you will then be taken to our Dataverse Account
Creation Terms of Use page. Please note that these terms are just for
testing and demonstration purposes and so are not our actual Dataverse
Terms of Use. We are currently working with the Berkman Center
<http://cyber.law.harvard.edu/> to update our Account Creation Terms of Use
for 4.0.
If you run a Shibboleth Identity Provider, you can download the the
Dataverse demo Service Provider metadata at
https://dataverse-demo.iq.harvard.edu/Shibboleth.sso/Metadata and send your
Identity Provider metadata to us via support(a)dataverse.org
We would love to be able to have as many institutions able to use
Shibboleth when Dataverse 4.0 goes live so please get in touch with us if
you are interested!
If you are interested in authentication beyond Shibboleth (OAuth, LDAP,
etc.), please consider subscribing to our dedicated "dvn-auth" mailing list
at https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
Shibboleth is an oft-discussed topic
<http://irclog.iq.harvard.edu/search.pl?channel=dataverse&q=shibboleth> in
the #dataverse IRC channel on freenode
<http://webchat.freenode.net/?channels=dataverse> as well!
*Reposted from the Data Science Blog:
**http://datascience.iq.harvard.edu/blog/try-out-single-sign-shibboleth-40-beta
<http://datascience.iq.harvard.edu/blog/try-out-single-sign-shibboleth-40-be…>*
--
You received this message because you are subscribed to the Google Groups
"Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dataverse-community+unsubscribe(a)googlegroups.com.
To post to this group, send email to dataverse-community(a)googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/dataverse-community/54796b3e-3296-46e9-94…
<https://groups.google.com/d/msgid/dataverse-community/54796b3e-3296-46e9-94…>
.
For more options, visit https://groups.google.com/d/optout.
--
Philip Durbin
Software Developer for http://dataverse.org <http://thedata.org>
http://www.iq.harvard.edu/people/philip-durbin