On Tue, 25 May 2010, Rod Widdowson wrote:
> I asked Jim Fox over at UW, who maintains, and possibly wrote, Pubcookie as
> well as being a long time Shibboleth contributor about this and this is his
> answer (posted with his permission).
Thanks, that's really helpful. It looks like Jim has come up with a
satisfactory way to inter-work Pubcookie and Shib which I could probably
copy. It's helpful to know for sure that a custom auth plugin delegating
to another web-redirect SSO solution is a possibility, so that's an option
for me as well. A custom plugin could pass the SP's entityID and that
would also address my wish to have our SSO system tell users what they are
authenticating to.
I agree that redirects shouldn't really be a problem. In practise they,
and the rather obvious delay at "redirecting to the resource..." while the
back channel runs, do seem to add up. It may be that our IdP is sluggish
for some reason, and I think that Firefox on Linux has a problem[1] with
https redirects that I've never got to the bottom of and which seems to
affect me in particular!
Jon.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=399981
--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
>> -----Original Message-----
>> From: Jim Fox [mailto:[log in to unmask]]
>> Sent: 24 May 2010 19:02
>> To: Rod Widdowson
>> Subject: Re: FW: Use "RemoteUser", or not?
>>
>>
>> Rod
>>
>> We use pubcookie login to do shib authentication. This way login
>> looks just the same to users, whether they are connecting to a
>> shib site or to a pubcookie site (except for the "redirecting to
>> the resource..." message at the end). Users don't have to be told
>> anything about shib, as the only site they 'see' is the pubcookie
>> page.
>>
>> I'm not concerned about the 'flood' of redirects. There are already
>> so many that the extra hop to pubcookie has the same effect as
>> adding a snowflake to a blizzard.
>>
>> We have a custom auth plugin
>>
>> http://staff.washington.edu/fox/shibboleth/
>>
>> that implements passive, forced and two-factor login protocols for sites
> using
>> remoteuser authentication.
>>
>> I considered for a while installing the shib idp on a subdomain of the
>> pubcookie login service. That way they could share session cookies, just
>> in case I ever wanted to go the idp-as-pubcookie-peer route. Decided that
>> would be more trouble than it was worth. One other way to get sso
>> out of the two peer systems is that each could, upon setting its own
>> cookies, fire off a redirect to the other, so it could also establish a
>> session.
>>
>> Jim
|