IMPETUS - Infrastructure for Multi-Professional Education and Training Using Shibboleth

Shibboleth

Seginus IDP hosted at

https://shibboleth.dmu.ac.uk/


Desktop IDP hosted at

https://idp.shibboleth.dmu.ac.uk/
(Offline being used as IIS SP test System)


WAYF hosted at

https://shibboleth.dmu.ac.uk/



Seginus SP hosted at

https://shibboleth.dmu.ac.uk/



Desktop SP hosted at

https://sp.shibboleth.dmu.ac.uk/



IIS Test Resource available at

https://sp.shibboleth.dmu.ac.uk/iisshibb/


Test Resources available at

https://shibboleth.dmu.ac.uk/test_resource/



News

22/01/07 Configured IIS to only accept SSL connections. Configured "shibboleth.xml" to point to WAYF, Change its providerID to a custom version. Point shibboleth to its certificate. and point it to a custome metadata file called "iis-metatdata.xml". altered "AAP.xml" to accept the pushed attributes from the IDP. Created a metadata file for all SP's and IDP's which contained references to the new links and certificates. created a simple .asp file that pulled all the headers to make sure the attributes were being received properly. Check that all systems were running correctly and Tested.. Target resource was successfully filtered by shibboleth and attributes sent successfully.
15/01/07 IIS 5.1 installed on new box. IIS uses a certificate request process to add certificates to webpages. This was bypasses by creating a self signed certificate using SelfSSL a tool available from microsoft as part of IIS 6.0 tools. Shibboleth msi downloaded and installed on IIS. Created second certificate using openssl for use with shibboleth.
08/01/07 New Box setup as a clean Install For IIS. Ip address made static and Added to the domain as "sp.shibboleth.dmu.ac.uk".
03/01/07 Installed IIS 5.1 under Windows xp Pro and tested locally. Success.
18/12/06 A decision has been made to shibbolize a IIS system before attempting to Shibbolize Blackboard. IIS can be installed under windows xp PRO (IIS 5.1) and used a a test system.
11/12/06 It has been implied by various web sources that Blackboard requires customization of the blackboard system by Blackboard designers. A test blackboard has been setup to allow investigation into how the system works.
04/12/06 The Blackboard test system available is Hosted on windows box under IIS. Looking into possibility of shibbolizing.
27/11/06 Still no reply from the spie progect team. Spie module would not work properlly with the uportal installation. Java-sp is not supported at the moment. Looking into other applications for shibboleth. Possible use is to shibbolize a VLE (Blackboard).
20/11/06 Came across problems in using java sp with uportal. No support is given as Java-sp is not a supported product
13/11/06 Installing java-sp stored in the head of the cvs with the latest shib-filter
06/11/06 A new approach was employed. To minimise problems from using tomcat on its own without jboss. The development environment employed by the spie project was dupplicated using the instructions provided from the spie project website. These included
  • Eclipse 1.31
  • Tomact 5.5x
  • JBoss 4
  • Plugins for Eclipse(JBoss IDE and Tomcat plugin)
Using this setup the java-sp suggested by the spie project (version 1.3c) still incorrectly places the attributes in the header.
30/10/06 Instead of using an externally hosted idp the idp shipped with the java-sp was used. version used by the spie still dosn't place attributes in the header correctly. Instead used version stored in the head of the cvs tree. attriutes succesfully placed in header and SpieJaas works. Once Uportal is installed it causes the attribute request between sp and idp to fail. This is the same for both versions of shibb-java and The uportal used in spie and the latest version.
16/10/06 Tried installing the latest uportal from source and deployed under tomcat. Problem still remains. Still no answer from spie team.
09/10/06 While waiting for answer for the previous problem. tried installing other versions of both shibb-java and uportal.
  • Shib-java found in head of cvs
03/10/06 Seginus still setup for test environment. Waiting for answer on problems
29/09/06 Seginus out of action for updates. Metadata on seginus temporarily altered to a bilateral deployment for use with shibbolized-uportal.
  • SP installed on desktop
  • Downloaded Uportal quick setup 2.5.1
  • Installed Spiejaas onto tomcat (added an option "java.security.auth.login.config=c:/spiejaas/SpieJaas.conf" as a "syspropertykey" to tomcat build target in build.xml)
  • Installed Spiejaas test servlet: working
  • Added a new security context for Spiejaas to uportal to replace standard form login: not working
  • Contacted spie about problems
28/09/06 Desktop Idp being taken offline to be used as a shib-uPortal test system
14/09/06 Dynamic Index page created and added to the Test Resource Index. This page once logged in dynamicly creates a list of link available to the user based upon the "unscoped-affiliation" attribute.
12/09/06 Slides created for the Introduction and Demonstration of shibboleth placed on the documentation page
24/08/06 New and updated resources added to SP, as well as a index page and information about the formentioned resources available at Test_Resources
08/08/06 Demonstration page changed to contain screenshots of altered resources.
04/08/06 Altered test resource to represent home organisation
28/07/06 WAYF page and IDP's login page altered to represent home organisation
14/07/06 First Implementation of test resources published on SP using "unscopped-affiliation" as a rule.
07/07/06 Demo Page implemeted showing a demonstration of how shibboleth controls access to resources
03/07/06 The impetus project website was moved from idp.shibboleth.dmu.ac.uk to http://ribble.dmu.ac.uk/impetus
20/06/06 Security Advisory released for Shibboleth v1.3, v1.2 on 15/06/06 stating a serious spoofing bug was evident in sp 1.3 and 1.2. To remedy this Shibboleth Service Provider 1.3e has been released. click here. The SP was uninstalled and replaced with the new version. with copying config files to the new folder.
16/06/06 To Comply with Standards the eduPerson schema was download and applied to the ldap server. When Creating user use objects "Person", "OrganisationalPerson", "inetOrgPerson" and "eduPerson". eduOrg-200212.ldif has a conflict with the ldap server and will not apply. Altered Shibboleth error pages, Tomact login form and Wayf Page to reflect the host in this case De Montfort University
15/06/06 Removed un-needed files from sp and idp folders to remove confusion later on. Changed file locations for certificates etc. Changed authorisation of the sso from flat file to tomcat form based authentication. Altered ldap server to contain usernames and passwords and autherisation of tomcat forms done through tomcat server.xml connected to ldap. see:- Twiki Instructions and Form Instructions Authotisation Successful against ldap server.
14/06/06 Setup idp and SP with a bilateral setup removing WAYF. Setup was successfull on creation of new metadata file. Next using resolvertest ldap-resolver.xml file was tested to see if ldap queries are being made correctly. Success. Removed echo response for attributes and altered arp.xml and idp.xml to incorparate ldap. On the SP the AAP.xml was altered accordingly. IDP and SP where tested to see if attributes where being passed to the sp. Success
13/06/06 A reply was received from shibboleth-user@internet2.edu stating that port 8443 should be available to the public through the firewall. Shibboleth uses this port to send saml requests in stead of the standard 443 port. Enabled 8443 on firewall for both inbound and outbound on both domain names. The IDP was then tested against the INqueue test resource. Attributes now correctly sent to SP.
08/06/06 Recieved a response from shibboleth-user@internet2.edu suggesting that the shibd.log found on the SP should be checked for debug errors. Returned a query to forum on how this is acheived with the inqueue SP. While waiting for the reply the shibd.log file was checked on the original test SP it was found that the certificates used to sign saml assertions was failing.
07/06/06 The IDP joined the Inqueue Federation to use the test resource. Recieved the Inqueue response and implemented the configuration supplied from inqueu that would replace metadata and create inqueue valid certificates. Completed configuration, tested the idp against the inqueue sample jsp page. Still no assertion was being passed to the idp from the SP.
06/06/06 The IDP access logs where checked and it was found that no Attribute Requests where being recived from the SP. Help was requested on shibboleth-user@internet2.edu forum. During the wait for a response it was decided that the setup should be seperated to test individual componenets.
05/06/06 The Identity Provider (IDP), Service Provider (SP) and Where Are You From (WAYF). The setup was checked and it was found that authentication was successesful but no attributes were being passed to the SP. To see if it was a local problem the machines where assigned static IP's. Aswell as this public accessable domain names where created with ports 443 & 80 open on the firewall.