JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH Archives

JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH  February 2013

JISC-SHIBBOLETH February 2013

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: IdP on Windows vs LDAP

From:

caleb racey <[log in to unmask]>

Reply-To:

Discussion list for Shibboleth developments <[log in to unmask]>

Date:

Thu, 7 Feb 2013 14:16:42 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (1 lines)

Yes and the answer is to only send someone to the kerb login if you are sure it's going to work, we do this with JavaScript on the login page and setting a useragent on our domain joined machines to "campus-ncl" then detecting that



To copy paste out of the  thread at https://groups.google.com/forum/?fromgroups=#!topic/shibboleth-users/NOaQDb0LMyw  



<snip>



We have Kerberos autologin setup on our IdP via the SPNEGO handler that Rodrigo and his team developed (it is excellent work), it is handling in the region of 17000 logins a day without any problems.

As Rodrigo alludes to the error behaviour of browsers that do not have a valid Kerberos ticket is  a major issue. The behaviour depends on the browser being used and it's configuration and network setup.....the worst case scenario we have seen is  a basic auth grey pop up login box appears while the browser is still showing the url of the SP or WAYF, the end user therefore has no means of seeing if they are entering their password into a legitimate IdP.   We view this as potentially training our user population to put their password into any grey login box that pops up and ask for it (very few would understand the difference between a wayf or SP url and any other url). Also our view is that the different behaviour of browsers would result in an unacceptable support workload should we try and support auto login for them.



To work round this we only  trigger spnego login when we are sure it will work, so we detect if a user is on campus from their ip address,  and has a browser user agent set to a predefined string by our Acitive Directory (AD) policy based build. This means they are using a machine that is managed by our active directory and therefore will be logged into the AD and have a kerb ticket.  We then also prevent spnego from users coming in via our vpn service or one of our wireless networks (magpie).  We also only allow autologin to a subset of our own SPs



Snippet of javascript from our IdP that does this below    





function spnego(sp, ip)

{

  // IPs we don't want to autologin 

  if (ip.indexOf("10.12.", 0) == 0) { return; } //(magpie  wireless)

  else if (ip.indexOf("10.13.", 0) == 0) { return; } //(magpie wireless)

  else if (ip.indexOf("10.6.", 0) == 0) { return; } //(ivpn vpn)

  else if (ip.indexOf("128.240.246.", 0) == 0) { return; } //(evpn vpn)



  var autoSPs=[ "https://internal.ncl.ac.uk/shibboleth/metadata",

                "https://directory.ncl.ac.uk/shibboleth/metadata",

                "https://my.ncl.ac.uk/shibboleth/metadata",

                "https://unixmon.ncl.ac.uk/shibboleth/metadata",

                "https://apps.ncl.ac.uk/shibboleth/metadata"];

  var autoIPs=[""];



  if (autoSPs.join().indexOf(sp)>=0)

  {

    if (autoIPs.join().indexOf(ip)>=0)

    {

      window.location = "/idp/Authn/Kerberos/Login"; //send user to spnego based login

    }

    // autologin host, check ip/browser compatibility

    if ((ip.indexOf("10.",0) == 0 || ip.indexOf("128.240.",0) == 0) && (navigator.userAgent.indexOf("campus-ncl") != -1))

    {

      window.location = "/idp/Authn/Kerberos/Login";  //send user to spnego based login 

    }  

  }

  else

  {

    return;  //send user back to form based login 

  }

}



Power users on firefox, google chrome, safari etc can get spnego based autologin by hand altering their browsers  user agent and making sure they have a Kerberos ticket.



Other pain points are people who use role base accounts, they  get auto logged into sites as their personal id and can't use their role account....the work around for us is to get them to use a different browser for role account login (not a very elegant solution admittedly).



So yes you can get spnego autologin to work with shib and be a useful service but there are many  caveats and it is not a silver bullet as far as true single sign on goes.

 

</snip>







>-----Original Message-----

>From: Discussion list for Shibboleth developments [mailto:JISC-

>[log in to unmask]] On Behalf Of Dr Matthew Williams

>Sent: 07 February 2013 12:55

>To: [log in to unmask]

>Subject: Re: IdP on Windows vs LDAP

>

>Hello,

>

>Thanks for the link.

>

>The solution is good but only when you have a valid ticket. There is no

>provision for fail over to user name and password if you are not on a

>machine joined to the Kerberos domain.

>

>Has anyone managed to get the fail over configured?

>

>Regards,

>

>Matthew.

>

>On 06/02/2013 15:38, Simon Palmer wrote:

>> I was interested too, so google'd it ;)

>>

>http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.p

>df

>> Si

>>

>>>>> Sara Hopkins <[log in to unmask]> 06/02/2013 14:58 >>>

>> I also would like to know about this, please, Cal!

>>

>> People often ask us; I confess I hadn't realised this could be done. <blush>

>>

>> Sara

>>

>> On 06/02/2013 14:00, Dr Matthew Williams wrote:

>>> Hello,

>>>

>>> I would be interested in any information about the "true sso".

>>>

>>> We are run the IdP on Linux against AD.

>>>

>>> Regards,

>>>

>>> Matthew.

>>>

>>> On 06/02/2013 13:49, Alistair Young wrote:

>>>>Is that 'out of the box' behaviour with a config change Caleb? Are there

>>>>some docs I could have a look at?

>>>>

>>>>thanks,

>>>>

>>>>Alistair

>>>>

>>>>------------------------------------

>>>>Alistair Young

>>>>Àrd-Innleadair air Bathar-Bog

>>>>UHI@Sabhal Mòr Ostaig

>>>>

>>>>

>>>>From: caleb racey <[log in to unmask]

>>>><mailto:[log in to unmask]>>

>>>>Reply-To: Discussion list for Shibboleth developments

>>>><[log in to unmask] <mailto:JISC-

>[log in to unmask]>>

>>>>Date: Wednesday, 6 February 2013 13:41

>>>>To: "[log in to unmask]

>>>><mailto:[log in to unmask]>" <JISC-

>[log in to unmask]

>>>><mailto:[log in to unmask]>>

>>>>Subject: Re: IdP on Windows vs LDAP

>>>>

>>>>We run our IdP on unix  and having it doing the “true sso”  login

>>>>against our active directory i.e. the user doesn’t  have to type a

>>>>username or password if already logged into their on campus desktop.

>>>>

>>>>

>>>>

>>>>So you can get all the windows integration goodness on unix (linux).

>>>>

>>>>

>>>>

>>>>

>>>>

>>>>

>>>>

>>>>

>>>>

>>>>*From:*Discussion list for Shibboleth developments

>>>>[mailto:[log in to unmask]] *On Behalf Of *Alistair Young

>>>>*Sent:* 06 February 2013 11:32

>>>>*To:* [log in to unmask]

>> <mailto:[log in to unmask]>

>>>>*Subject:* IdP on Windows vs LDAP

>>>>

>>>>

>>>>

>>>>Hi folks,

>>>>

>>>>

>>>>

>>>>I'm pottering around the IdP docs and was wondering if there were any

>>>>advantages in using the IdP on Windows for Active Directory

>>>>authentication/attribute gathering:

>>>>

>>>>

>>>>

>>>>http://www.ukfederation.org.uk/content/Documents/QuickInstallNotes

>>>>

>>>>

>>>>

>>>>as opposed to running the IdP on unix and using LDAP. Does it use LDAP

>>>>in either configuration? Or is there another protocol it will use if

>>>>it's in an AD domain?

>>>>

>>>>

>>>>

>>>>thanks,

>>>>

>>>>

>>>>

>>>>Alistair

>>>>

>>>>

>>>>

>>>>------------------------------------

>>>>

>>>>Alistair Young

>>>>

>>>>Senior Software Engineer

>>>>

>>>>UHI@Sabhal Mòr Ostaig

>>>>

>>>>

>>>>

>>>

>>

>> --

>> Sara Hopkins

>> Support Team

>> UK Access Management Federation for Education and Research

>> web:    http://www.ukfederation.org.uk/

>>

>> The University of Edinburgh is a charitable body, registered in

>> Scotland, with registration number SC005336.

>>

>>

>> Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r

>> unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a

>> fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid

>> farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam,

>> rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol:

>> [log in to unmask]

>> Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?

>> This email and any files transmitted with it are confidential and

>> intended solely for the use of the individual or entity to whom they are

>> addressed. Any views or opinions expressed are solely those of the

>> author and do not necessarily represent those of Coleg Sir Gâr. If you

>> have received this email in error please notify the administrator on the

>> following address: [log in to unmask]

>> Please consider the environment - do you really need to print this email?

>

>--

>Dr Matthew Williams MEng PhD MBCS

>Systems Administrator  -  IT Services  -  Bangor University

>Prifysgol Bangor            Tel: (44) (0)1248 382414

>Adeilad Deiniol             Mob: (44) (0)7979 778269

>Ffordd Deiniol              URL: www.bangor.ac.uk

>Bangor, Gwynedd LL57 2UX    EMail: [log in to unmask]

>--

>Rhif Elusen Gofrestredig / Registered Charity No. 1141565

>

>Gall y neges e-bost hon, ac unrhyw atodiadau a anfonwyd gyda hi,

>gynnwys deunydd cyfrinachol ac wedi eu bwriadu i'w defnyddio'n unig

>gan y sawl y cawsant eu cyfeirio ato (atynt). Os ydych wedi derbyn y

>neges e-bost hon trwy gamgymeriad, rhowch wybod i'r anfonwr ar

>unwaith a dil�wch y neges. Os na fwriadwyd anfon y neges atoch chi,

>rhaid i chi beidio � defnyddio, cadw neu ddatgelu unrhyw wybodaeth a

>gynhwysir ynddi. Mae unrhyw farn neu safbwynt yn eiddo i'r sawl a'i

>hanfonodd yn unig  ac nid yw o anghenraid yn cynrychioli barn

>Prifysgol Bangor. Nid yw Prifysgol Bangor yn gwarantu

>bod y neges e-bost hon neu unrhyw atodiadau yn rhydd rhag firysau neu

>100% yn ddiogel. Oni bai fod hyn wedi ei ddatgan yn uniongyrchol yn

>nhestun yr e-bost, nid bwriad y neges e-bost hon yw ffurfio contract

>rhwymol - mae rhestr o lofnodwyr awdurdodedig ar gael o Swyddfa

>Cyllid Prifysgol Bangor.  www.bangor.ac.uk

>

>This email and any attachments may contain confidential material and

>is solely for the use of the intended recipient(s).  If you have

>received this email in error, please notify the sender immediately

>and delete this email.  If you are not the intended recipient(s), you

>must not use, retain or disclose any information contained in this

>email.  Any views or opinions are solely those of the sender and do

>not necessarily represent those of Bangor University.

>Bangor University does not guarantee that this email or

>any attachments are free from viruses or 100% secure.  Unless

>expressly stated in the body of the text of the email, this email is

>not intended to form a binding contract - a list of authorised

>signatories is available from the Bangor University Finance

>Office.  www.bangor.ac.uk

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

December 2019
November 2019
October 2019
September 2019
August 2019
June 2019
May 2019
March 2019
February 2019
January 2019
November 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
February 2017
January 2017
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
December 2015
November 2015
September 2015
August 2015
June 2015
April 2015
March 2015
February 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager