JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH Archives

JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH  March 2013

JISC-SHIBBOLETH March 2013

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: True SSO how to guide (was IdP on Windows vs LDAP)

From:

caleb racey <[log in to unmask]>

Reply-To:

Discussion list for Shibboleth developments <[log in to unmask]>

Date:

Fri, 8 Mar 2013 12:12:43 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (1 lines)

I can't claim to be an AD whizz either 



By "first bit" do you mean what the principle name should be ? 



If so 



Probably [log in to unmask]  



Our active directory is not authoratative for all of .ncl.ac.uk as we didn't want to have it assume it ran the DNS,   yours might be. So the end bit would be HCUK.AC.UK 











>-----Original Message-----

>From: Discussion list for Shibboleth developments [mailto:JISC-

>[log in to unmask]] On Behalf Of David Perry

>Sent: 08 March 2013 11:54

>To: [log in to unmask]

>Subject: Re: True SSO how to guide (was IdP on Windows vs LDAP)

>

>Caleb

>

>Brilliant - thanks for the all in one version.

>

>I'm unsure about the first bit I have to profess (not an AD whizz) -

>what would it be for a server named shibb.hull-college.ac.uk domain

>HCUK(.local)?

>

>Thanks,

>Dave

>

>David Perry

>eLearning Technologist (L34 - Library)

>Hull College Group

>Wilberforce Drive, Queen's Gardens, Hull

>HU1 3DG

>Extension 2230 / Direct Dial 01482 381930

>

>HOW ARE WE DOING?

>Fill in our survey and you could win a prize!

>For students - http://library.hull-college.ac.uk/survey

>For staff - http://library.hull-college.ac.uk/staffsurvey

>

>

>

>

>

>* * * Think about the environment - Do you really need to print this

>email?>>> caleb racey <[log in to unmask]> 08/03/2013 11:46

>>>>

>Several  list members  have asked for a description of how we have

>setup our IdP to achieve "true sso" via a kerberised login handler.   My

>colleague Chris franks has produced the following step by step guide

>which should help the community to setup true SSO and understand its

>limitations.

>

>https://crypt.ncl.ac.uk/login-gateway/docs/Shibboleth_SPNEGO_Setup.pdf

>

>

>

>>-----Original Message-----

>>From: Discussion list for Shibboleth developments [mailto:JISC-

>>[log in to unmask]] On Behalf Of caleb racey

>>Sent: 07 February 2013 14:17

>>To: [log in to unmask]

>>Subject: Re: IdP on Windows vs LDAP

>>

>>Yes and the answer is to only send someone to the kerb login if you

>are sure

>>it's going to work, we do this with JavaScript on the login page and

>setting a

>>useragent on our domain joined machines to "campus-ncl" then

>detecting

>>that

>>

>>To copy paste out of the  thread at

>>https://groups.google.com/forum/?fromgroups=#!topic/shibboleth-

>>users/NOaQDb0LMyw

>>

>><snip>

>>

>>We have Kerberos autologin setup on our IdP via the SPNEGO handler

>that

>>Rodrigo and his team developed (it is excellent work), it is handling

>in the

>>region of 17000 logins a day without any problems.

>>As Rodrigo alludes to the error behaviour of browsers that do not have

>a valid

>>Kerberos ticket is  a major issue. The behaviour depends on the

>browser

>>being used and it's configuration and network setup.....the worst

>case

>>scenario we have seen is  a basic auth grey pop up login box appears

>while the

>>browser is still showing the url of the SP or WAYF, the end user

>therefore has

>>no means of seeing if they are entering their password into a

>legitimate IdP.

>>We view this as potentially training our user population to put their

>password

>>into any grey login box that pops up and ask for it (very few would

>understand

>>the difference between a wayf or SP url and any other url). Also our

>view is

>>that the different behaviour of browsers would result in an

>unacceptable

>>support workload should we try and support auto login for them.

>>

>>To work round this we only  trigger spnego login when we are sure it

>will work,

>>so we detect if a user is on campus from their ip address,  and has a

>browser

>>user agent set to a predefined string by our Acitive Directory (AD)

>policy based

>>build. This means they are using a machine that is managed by our

>active

>>directory and therefore will be logged into the AD and have a kerb

>ticket.  We

>>then also prevent spnego from users coming in via our vpn service or

>one of

>>our wireless networks (magpie).  We also only allow autologin to a

>subset of

>>our own SPs

>>

>>Snippet of javascript from our IdP that does this below

>>

>>

>>function spnego(sp, ip)

>>{

>>  // IPs we don't want to autologin

>>  if (ip.indexOf("10.12.", 0) == 0) { return; } //(magpie  wireless)

>>  else if (ip.indexOf("10.13.", 0) == 0) { return; } //(magpie

>wireless)

>>  else if (ip.indexOf("10.6.", 0) == 0) { return; } //(ivpn vpn)

>>  else if (ip.indexOf("128.240.246.", 0) == 0) { return; } //(evpn

>vpn)

>>

>>  var autoSPs=[ "https://internal.ncl.ac.uk/shibboleth/metadata",

>>                "https://directory.ncl.ac.uk/shibboleth/metadata",

>>                "https://my.ncl.ac.uk/shibboleth/metadata",

>>                "https://unixmon.ncl.ac.uk/shibboleth/metadata",

>>                "https://apps.ncl.ac.uk/shibboleth/metadata"];

>>  var autoIPs=[""];

>>

>>  if (autoSPs.join().indexOf(sp)>=0)

>>  {

>>    if (autoIPs.join().indexOf(ip)>=0)

>>    {

>>      window.location = "/idp/Authn/Kerberos/Login"; //send user to

>spnego

>>based login

>>    }

>>    // autologin host, check ip/browser compatibility

>>    if ((ip.indexOf("10.",0) == 0 || ip.indexOf("128.240.",0) == 0)

>&&

>>(navigator.userAgent.indexOf("campus-ncl") != -1))

>>    {

>>      window.location = "/idp/Authn/Kerberos/Login";  //send user to

>spnego

>>based login

>>    }

>>  }

>>  else

>>  {

>>    return;  //send user back to form based login

>>  }

>>}

>>

>>Power users on firefox, google chrome, safari etc can get spnego

>based

>>autologin by hand altering their browsers  user agent and making sure

>they

>>have a Kerberos ticket.

>>

>>Other pain points are people who use role base accounts, they  get

>auto

>>logged into sites as their personal id and can't use their role

>account....the

>>work around for us is to get them to use a different browser for role

>account

>>login (not a very elegant solution admittedly).

>>

>>So yes you can get spnego autologin to work with shib and be a useful

>service

>>but there are many  caveats and it is not a silver bullet as far as

>true single sign

>>on goes.

>>

>></snip>

>>

>>

>>

>>>-----Original Message-----

>>>From: Discussion list for Shibboleth developments [mailto:JISC-

>>>[log in to unmask]] On Behalf Of Dr Matthew Williams

>>>Sent: 07 February 2013 12:55

>>>To: [log in to unmask]

>>>Subject: Re: IdP on Windows vs LDAP

>>>

>>>Hello,

>>>

>>>Thanks for the link.

>>>

>>>The solution is good but only when you have a valid ticket. There is

>no

>>>provision for fail over to user name and password if you are not on

>a

>>>machine joined to the Kerberos domain.

>>>

>>>Has anyone managed to get the fail over configured?

>>>

>>>Regards,

>>>

>>>Matthew.

>>>

>>>On 06/02/2013 15:38, Simon Palmer wrote:

>>>> I was interested too, so google'd it ;)

>>>>

>>>http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignO

>n.

>>p

>>>df

>>>> Si

>>>>

>>>>>>> Sara Hopkins <[log in to unmask]> 06/02/2013 14:58 >>>

>>>> I also would like to know about this, please, Cal!

>>>>

>>>> People often ask us; I confess I hadn't realised this could be

>done. <blush>

>>>>

>>>> Sara

>>>>

>>>> On 06/02/2013 14:00, Dr Matthew Williams wrote:

>>>>> Hello,

>>>>>

>>>>> I would be interested in any information about the "true sso".

>>>>>

>>>>> We are run the IdP on Linux against AD.

>>>>>

>>>>> Regards,

>>>>>

>>>>> Matthew.

>>>>>

>>>>> On 06/02/2013 13:49, Alistair Young wrote:

>>>>>>Is that 'out of the box' behaviour with a config change Caleb? Are

>there

>>>>>>some docs I could have a look at?

>>>>>>

>>>>>>thanks,

>>>>>>

>>>>>>Alistair

>>>>>>

>>>>>>------------------------------------

>>>>>>Alistair Young

>>>>>>Àrd-Innleadair air Bathar-Bog

>>>>>>UHI@Sabhal Mòr Ostaig

>>>>>>

>>>>>>

>>>>>>From: caleb racey <[log in to unmask]

>>>>>><mailto:[log in to unmask]>>

>>>>>>Reply-To: Discussion list for Shibboleth developments

>>>>>><[log in to unmask] <mailto:JISC-

>>>[log in to unmask]>>

>>>>>>Date: Wednesday, 6 February 2013 13:41

>>>>>>To: "[log in to unmask]

>>>>>><mailto:[log in to unmask]>" <JISC-

>>>[log in to unmask]

>>>>>><mailto:[log in to unmask]>>

>>>>>>Subject: Re: IdP on Windows vs LDAP

>>>>>>

>>>>>>We run our IdP on unix  and having it doing the “true sso”

>login

>>>>>>against our active directory i.e. the user doesn’t  have to type

>a

>>>>>>username or password if already logged into their on campus

>desktop.

>>>>>>

>>>>>>

>>>>>>

>>>>>>So you can get all the windows integration goodness on unix

>(linux).

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>*From:*Discussion list for Shibboleth developments

>>>>>>[mailto:[log in to unmask]] *On Behalf Of *Alistair

>>Young

>>>>>>*Sent:* 06 February 2013 11:32

>>>>>>*To:* [log in to unmask]

>>>> <mailto:[log in to unmask]>

>>>>>>*Subject:* IdP on Windows vs LDAP

>>>>>>

>>>>>>

>>>>>>

>>>>>>Hi folks,

>>>>>>

>>>>>>

>>>>>>

>>>>>>I'm pottering around the IdP docs and was wondering if there were

>any

>>>>>>advantages in using the IdP on Windows for Active Directory

>>>>>>authentication/attribute gathering:

>>>>>>

>>>>>>

>>>>>>

>>>>>>http://www.ukfederation.org.uk/content/Documents/QuickInstallNot

>e

>

>>s

>>>>>>

>>>>>>

>>>>>>

>>>>>>as opposed to running the IdP on unix and using LDAP. Does it use

>LDAP

>>>>>>in either configuration? Or is there another protocol it will use

>if

>>>>>>it's in an AD domain?

>>>>>>

>>>>>>

>>>>>>

>>>>>>thanks,

>>>>>>

>>>>>>

>>>>>>

>>>>>>Alistair

>>>>>>

>>>>>>

>>>>>>

>>>>>>------------------------------------

>>>>>>

>>>>>>Alistair Young

>>>>>>

>>>>>>Senior Software Engineer

>>>>>>

>>>>>>UHI@Sabhal Mòr Ostaig

>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>

>>>> --

>>>> Sara Hopkins

>>>> Support Team

>>>> UK Access Management Federation for Education and Research

>>>> web:    http://www.ukfederation.org.uk/

>>>>

>>>> The University of Edinburgh is a charitable body, registered in

>>>> Scotland, with registration number SC005336.

>>>>

>>>>

>>>> Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at

>sylw'r

>>>> unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu

>sylwadau a

>>>> fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o

>anghenraid

>>>> farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam,

>>>> rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol:

>>>> [log in to unmask]

>>>> Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?

>>>> This email and any files transmitted with it are confidential and

>>>> intended solely for the use of the individual or entity to whom

>they are

>>>> addressed. Any views or opinions expressed are solely those of the

>>>> author and do not necessarily represent those of Coleg Sir Gâr. If

>you

>>>> have received this email in error please notify the administrator

>on the

>>>> following address: [log in to unmask]

>>>> Please consider the environment - do you really need to print this

>email?

>>>

>>>--

>>>Dr Matthew Williams MEng PhD MBCS

>>>Systems Administrator  -  IT Services  -  Bangor University

>>>Prifysgol Bangor            Tel: (44) (0)1248 382414

>>>Adeilad Deiniol             Mob: (44) (0)7979 778269

>>>Ffordd Deiniol              URL: www.bangor.ac.uk

>>>Bangor, Gwynedd LL57 2UX    EMail: [log in to unmask]

>>>--

>>>Rhif Elusen Gofrestredig / Registered Charity No. 1141565

>>>

>>>Gall y neges e-bost hon, ac unrhyw atodiadau a anfonwyd gyda hi,

>>>gynnwys deunydd cyfrinachol ac wedi eu bwriadu i'w defnyddio'n unig

>>>gan y sawl y cawsant eu cyfeirio ato (atynt). Os ydych wedi derbyn y

>>>neges e-bost hon trwy gamgymeriad, rhowch wybod i'r anfonwr ar

>>>unwaith a dilwch y neges. Os na fwriadwyd anfon y neges atoch chi,

>>>rhaid i chi beidio  defnyddio, cadw neu ddatgelu unrhyw wybodaeth a

>>>gynhwysir ynddi. Mae unrhyw farn neu safbwynt yn eiddo i'r sawl a'i

>>>hanfonodd yn unig  ac nid yw o anghenraid yn cynrychioli barn

>>>Prifysgol Bangor. Nid yw Prifysgol Bangor yn gwarantu

>>>bod y neges e-bost hon neu unrhyw atodiadau yn rhydd rhag firysau

>neu

>>>100% yn ddiogel. Oni bai fod hyn wedi ei ddatgan yn uniongyrchol yn

>>>nhestun yr e-bost, nid bwriad y neges e-bost hon yw ffurfio contract

>>>rhwymol - mae rhestr o lofnodwyr awdurdodedig ar gael o Swyddfa

>>>Cyllid Prifysgol Bangor.  www.bangor.ac.uk

>>>

>>>This email and any attachments may contain confidential material and

>>>is solely for the use of the intended recipient(s).  If you have

>>>received this email in error, please notify the sender immediately

>>>and delete this email.  If you are not the intended recipient(s),

>you

>>>must not use, retain or disclose any information contained in this

>>>email.  Any views or opinions are solely those of the sender and do

>>>not necessarily represent those of Bangor University.

>>>Bangor University does not guarantee that this email or

>>>any attachments are free from viruses or 100% secure.  Unless

>>>expressly stated in the body of the text of the email, this email is

>>>not intended to form a binding contract - a list of authorised

>>>signatories is available from the Bangor University Finance

>>>Office.  www.bangor.ac.uk

>

>***********************************************************

>***********

>This message is sent in confidence for the addressee

>only. It may  contain confidential or sensitive

>information.  The contents are not to be disclosed

>to anyone other than the addressee.  Unauthorised

>recipients are requested to preserve this

>confidentiality and to advise us of any errors in

>transmission.  Any views expressed in this message

>are solely the views of the individual and do not

>represent the views of the College.  Nothing in this

>message should be construed as creating a contract.

>

>Hull College owns the email infrastructure, including the contents.

>

>Hull College is committed to sustainability, please reflect before printing this

>email.

>***********************************************************

>***********

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

November 2023
February 2023
January 2023
November 2022
October 2022
September 2022
June 2022
January 2022
November 2021
October 2021
September 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
June 2019
May 2019
March 2019
February 2019
January 2019
November 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
February 2017
January 2017
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
December 2015
November 2015
September 2015
August 2015
June 2015
April 2015
March 2015
February 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager