Thanks Aaron. That does help. We are part of InCommon as well but I have no experience with it.
Mark On Thu, Oct 11, 2012 at 4:25 PM, Aaron Coburn <[email protected]> wrote: > Mark, > > Our institution is part of InCommon and we use Shibboleth authentication for > our VCL, but we don't actually use the InCommon metadata with our VCL (so > take my suggestions with a grain of salt). In order to use the InCommon > metadata, however, you would first need to configure your SP to consume the > metadata like this in shibboleth2.xml: > > <MetadataProvider type="XML" > url="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"; > backingFilePath="/path/to/local/incommon-metadata.xml" > reloadInterval="86400"/> > > This will refresh the metadata daily, which is what InCommon recommends. > > If you wish to restrict login to just your own IdP or a small set of IdPs > (i.e. not the entire InCommon Federation), they you will need to add a child > node to the MetadataProvider: > > <MetadataProvider ...{see above for attributes}> > <MetadataFilter type="Whitelist"> > <Include>{the entityID to keep}</Include> > <Include>{another IdP's entityID to keep}</Include> > .... > </MetadataFilter> > </MetadataProvider> > > (The entityID is the identifier for an Identity Provider; it can be a URN or > a URL.) > > Then, make sure that the SP metadata is loaded into all the IdPs you plan to > support. If there are a lot of IdPs involved, you can register the SP > directly with InCommon. I have no experience doing this, but your campus' > identity management group should be able to help you there. > > Then, in your conf.php file, you will need to create one or more affiliations > in the $authMechs array for use with the InCommon login. The important part > is the "URL" attribute, which should be something like one of the following: > > "/Shibboleth.sso/Login?target=/shibauth&entityID={URL-encoded path to an IdP > or a URN}" > (If there is only one IdP you plan to support and wish to bypass a discovery > service) > > OR > > "/Shibboleth.sso/Login?target=/shibauth" > (If you have a discovery service configured in shibboleth2.xml, i.e. > /SPConfig/ApplicationDefaults/Sessions/SSO@discoveryURL) > > OR > > A path directly to your discovery service. There is an example of this in > conf-default.php > > I hope that helps, > Aaron > > > > -- > Aaron Coburn > Systems Administrator and Programmer > Academic Technology Services, Amherst College > [email protected]<mailto:[email protected]> > > > > > > > On Oct 11, 2012, at 2:43 PM, Mark Gardner <[email protected]<mailto:[email protected]>> > wrote: > > OK thanks. > > Mark > > On Thu, Oct 11, 2012 at 2:39 PM, Josh Thompson > <[email protected]<mailto:[email protected]>> wrote: > Mark, > > Just normal Shibboleth authentication. Aaron Coburn did a great write up of > setting up Shibboleth with VCL here: > > http://people.apache.org/~acoburn/shibboleth.html > > Others at NCSU dealt with joining InCommon. So, I have no idea about that > part. > > Josh > > On Thursday, October 11, 2012 2:34:02 PM Mark Gardner wrote: > What did you need to do to get it working with the VCL? > > Mark > > On Thu, Oct 11, 2012 at 2:19 PM, Josh Thompson <[email protected]> > wrote: > We are set up with it at NCSU. > > Josh > > On Thursday, October 11, 2012 1:54:20 PM Mark Gardner wrote: > Is anybody working on InCommon authentication (http://www.incommon.org/)? > > Mark > > -- > ------------------------------- > Josh Thompson > Systems Programmer > Advanced Computing | VCL Developer > North Carolina State University > > [email protected] > 919-515-5323 > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -- > ------------------------------- > Josh Thompson > Systems Programmer > Advanced Computing | VCL Developer > North Carolina State University > > [email protected] > 919-515-5323 > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > > > > -- > Mark Gardner > -- > -- Mark Gardner --
