-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris,
Jim is a great resource for this. I wrote the VCL Shibboleth code, but Jim knows much more about Shibboleth than I do. Aaron Coburn wrote up a good page on configuring VCL and Shibbleth: http://people.apache.org/~acoburn/ Here is a page I wrote that is quite old, but the information is still relevant: https://cwiki.apache.org/confluence/display/VCLDOCS/Setting+up+Shibboleth+Authentication Entries in the $authMechs array in conf.php for authenticating users via Shibboleth are quite different than entries for authenticating via LDAP. First and last name are not required to be available. So, those do not need to be passed in attributes from Shib. EPPN is the only thing required. A single Shib entry in conf.php allows users from different institutions to authenticate. VCL will take the part after the @ in the EPPN to create an affiliation for that user/institution. For example, here at NCSU, we can (among others) authenticate users from NCSU and UNCP. A user from NCSU could have an EPPN like [email protected], which would be converted to user1@NCSU in VCL. A user from UNCP could have an EPPN like [email protected], which would be converted to user2@UNCP in VCL. I hope that helps. Josh On Friday, August 15, 2014 8:39:23 AM James O'Dell wrote: > Hi Chris, > > A few years back, I set up CSUF's VCL to authenticate and use the > attributes from InCommon. > (Thanks again Josh!) > > I even added a few attributes like 'eduCourseMember' and 'isMemberOf' ( > based on ldap groups ) > > I'd be happy to help. Send me a message if you're interested > > __Jim > > On 8/15/2014 8:19 AM, Christopher Wolfe wrote: > > All, > > > > Has anyone had experience setting up VCL to > > > > authenticate/authorize against InCommon? I've seen, but not explored, what > > appears to be shibboleth code in conf.php. > > > > My understanding is that I need to map the attributes provided by LDAP, > > etc. into the data structure in conf.php. However, I foresee a few > > pitfalls, and am not sure how best to > > > > accommodate them. First, user names (first, last) are not provided for > > students for privacy reasons. Second, depending on type of account (staff, > > student, admin, etc.) different > > > > attribute stores/IPs are available, with different attribute names. > > Regarding the first point, is it possible to supply a generic name for all > > users (i.e. John Doe)? Would this cause > > > > problems with VCL? Regarding the second point, is it sufficient to add an > > entry to authMechs for each provider? The code appears to be structured > > this way, so I assume so. If so, > > > > how is the mechanism selected for a particular login? Is each mechanism > > tried until one succeeds or all fail? If so, how could I achieve > > preferential ordering of mechanisms (I believe > > > > Perl 5.18+ hashes are randomized, and so we can't rely on the ordering > > specified in conf.php)? > > > > > > > > Thanks, > > > > Chris Wolfe - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPuM8gACgkQV/LQcNdtPQOO0gCfaib7nwcOVPy2zBKGEetJpMVG aHEAn00dHTq1gcjwm3wqAmHexjj07NeE =8jR7 -----END PGP SIGNATURE-----
