On Fri, 11 Mar 2011, Jon Warbrick wrote:
> A lot of existing web apps have wired into in the, often at a very low
> level, the idea that each 'user' has associated with them a unique,
> short-ish, fairly friendly identifier. [...] We've noticed that 'off the
> shelf' Shibboleth adaptations (most recently for Plone and MediaWiki)
> tend to simply use what turns up in REMOTE_USER which, by default, will
> be the first of ePPN and the old and new forms of ePTID that isn't
> blank. In a UK federation context this doesn't really work, and I
> suspect many of these adaptations were written for contexts where ePPN
> is more widely available.
>
> What have other people working in the UK environment done to address
> this problem, assuming you are seeing it too? Is there a 'best
> practise'?
I've finally got around to scribbling some notes on all this, mainly for
the benefit of my immediate colleagues. They aren't complete, or even novel:
http://jw35.blogspot.com/2011/07/federated-and-so-saml-and-so-shibboleth.html
Comments welcome.
Jon.
--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
|