Mark,
Our institution is part of InCommon and we use Shibboleth authentication for
our VCL, but we don't actually use the InCommon metadata with our VCL (so take
my suggestions with a grain of salt). In order to use the InCommon metadata,
however, you would first need to configure your SP to consume the metadata like
this in shibboleth2.xml:
<MetadataProvider type="XML"
url="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml";
backingFilePath="/path/to/local/incommon-metadata.xml"
reloadInterval="86400"/>
This will refresh the metadata daily, which is what InCommon recommends.
If you wish to restrict login to just your own IdP or a small set of IdPs (i.e.
not the entire InCommon Federation), they you will need to add a child node to
the MetadataProvider:
<MetadataProvider ...{see above for attributes}>
<MetadataFilter type="Whitelist">
<Include>{the entityID to keep}</Include>
<Include>{another IdP's entityID to keep}</Include>
....
</MetadataFilter>
</MetadataProvider>
(The entityID is the identifier for an Identity Provider; it can be a URN or a
URL.)
Then, make sure that the SP metadata is loaded into all the IdPs you plan to
support. If there are a lot of IdPs involved, you can register the SP directly
with InCommon. I have no experience doing this, but your campus' identity
management group should be able to help you there.
Then, in your conf.php file, you will need to create one or more affiliations
in the $authMechs array for use with the InCommon login. The important part is
the "URL" attribute, which should be something like one of the following:
"/Shibboleth.sso/Login?target=/shibauth&entityID={URL-encoded path to an IdP or
a URN}"
(If there is only one IdP you plan to support and wish to bypass a discovery
service)
OR
"/Shibboleth.sso/Login?target=/shibauth"
(If you have a discovery service configured in shibboleth2.xml, i.e.
/SPConfig/ApplicationDefaults/Sessions/SSO@discoveryURL)
OR
A path directly to your discovery service. There is an example of this in
conf-default.php
I hope that helps,
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
[email protected]<mailto:[email protected]>
On Oct 11, 2012, at 2:43 PM, Mark Gardner <[email protected]<mailto:[email protected]>>
wrote:
OK thanks.
Mark
On Thu, Oct 11, 2012 at 2:39 PM, Josh Thompson
<[email protected]<mailto:[email protected]>> wrote:
Mark,
Just normal Shibboleth authentication. Aaron Coburn did a great write up of
setting up Shibboleth with VCL here:
http://people.apache.org/~acoburn/shibboleth.html
Others at NCSU dealt with joining InCommon. So, I have no idea about that
part.
Josh
On Thursday, October 11, 2012 2:34:02 PM Mark Gardner wrote:
What did you need to do to get it working with the VCL?
Mark
On Thu, Oct 11, 2012 at 2:19 PM, Josh Thompson <[email protected]>
wrote:
We are set up with it at NCSU.
Josh
On Thursday, October 11, 2012 1:54:20 PM Mark Gardner wrote:
Is anybody working on InCommon authentication (http://www.incommon.org/)?
Mark
--
-------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
[email protected]
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
--
-------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
[email protected]
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
--
Mark Gardner
--
