*Apologies fro cross-posting*
I suspect some people in this mailing list will be very pleased to
know that SPIE Project developed some 'glue' to Shibboleth-enable
You can see a demo here:
Please use demo/demo against the SPIE LDAP IdP (the other IdPs use
Oxford University WebAuth SSO System). Within the uPortal
authenticated session you will be able to see the attributes obtained
via Shibboleth in the 'Person Attributes' Portlet. So, they leave a
the Portal Framework level.
This glue is based on a SPIE Working Package to make uPortal
Shibboleth-aware. We started by trying to 'Shibbolise' JSPWiki which
uses Servlet Container-based authN/authZ). This proved to be more
difficult to do than to
'Shibbolise' uPortal or CAS Server, which use Application-based authN/
authZ. uPortal took half a day to 'Shibolise' and CAS Server less
than one hour. It's worth mentioning that integration with uPortal is
done via a ShibbolethSecurityContext, the standard way to provide a
security AuthN handler for uPortal (version 2.5.x). An equivalent
approach was followed to Shibboleth-enable CAS Server (version 2.0.12).
This code is already available in our CVS (info via SPIE's Wiki,
http://spie.oucs.ox.ac.uk/). This is early beta code and expect it to
change very often. The JSPWiki, uPortal and CAS integration code
(glue) will also be available in the JASIG Clearinghouse, probably
next week. Documentation how to use this code will also be available
in our Wiki over the next weeks. (Note: there seems to be some
problems to access the code via Anonymous CVS (thanks MAMS Project to
discover this. This will be fixed soon).
Meanwhile, you can find some information about the mechanism employed
in the presentation we gave yesterday at the JA-SIG UK Meeting. This
presentation and other presentations on related subjects are
BTW, this is the Wiki I mentioned before. Shibboleth is only
triggered when trying to access the Wiki in a non read-only mode,
e.g. Edit, Delete, Attach. There is also mechanisms to protect some
pages for Viewing, based on a mapping between the attributes
obtained via Shibboleth and the the Wiki ACLs.
Of course this only Shibboleth-enable the 2-tier. The SAML 2.0 SSO
with Constrained Delegation Profile will be needed to Shibboleth-
enable the n-tier.
Hope you find it useful and please feel free to give suggestions.
Dr Francisco Pinto
Research Technologies Service
Oxford University Computing Services
Tel/Fax 01865 273273/273275