Announcement Announcement Module
Collapse
No announcement yet.
Acegi and Shibboleth Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acegi and Shibboleth

    Hi,
    I was wondering if there's any plan to integrate Acegi with Shibboleth in the near future to provide Single Sign On capabilities (as an alternative to CAS). Or, has anyone already accomplished this and could give some pointers ?
    thanks, Luca

  • #2
    No plans that I know of. It would be a useful addition though.

    Comment


    • #3
      In order to integrate with shibboleth, we just created a custom authentication processing filter that retrieves the remoteUser from the request, creates the Authentication object, and populates the SecuritContextHolder context. We're not using the Shibboleth-supplied credentials (other than remote user) for roles. We use the remote user to retrieve a list of roles from the database.

      Not sure if it's 100% correct way to do things, but it works.

      Note: we're using Apache for shibboleth integration and not the shibboleth java filter (don't even know if that's available yet)

      --------
      Don
      Last edited by dp3; Jan 31st, 2007, 12:16 PM.

      Comment


      • #4
        Thanks, it's reassuring to know that it has been done and it works. We are still not sure wether we are going to use Shibboleth, if so I might post some more questions.
        thanks again,
        Luca

        Comment


        • #5
          Originally posted by Luca Cinquini View Post
          Thanks, it's reassuring to know that it has been done and it works. We are still not sure wether we are going to use Shibboleth, if so I might post some more questions.
          thanks again,
          Luca
          This is really just integrating Acegi by taking the username supplied by the container (in this case originally supplied by apache) and assuming it has already been authenticated, so it's not really surprising that it works. There is nothing specific to Shibboleth involved - it would presumably work in any situation where Apache was supplying the name of the authenticated user.

          Ideally it would be nice to be able to avoid the apache configuration on the service provider end and have a pure Java solution which made the results of the attribute query available to Acegi for use in applying security constraints.

          As dp3 said, the Java Shibboleth SP implementation hasn't actually been released, but it seems to work Ok and could probably be used as a basis. There are some instructions on getting it running here:

          http://spie.oucs.ox.ac.uk/Wiki.jsp?page=DevEnvironment

          Comment


          • #6
            Shibboleth requirement

            I need to demonstrate the shibboleth in my university, i have a access to my university apache server using virtual enviroment, can anybody tell me, that is it possible to configure the Apache and tomcat server in the virtual enviroemtn for the shibboleth, i mean to say using the mln tool to use the UML(user-mode linux) instances, would it work for me to demonstrate in this enviroment. if anybody can help me in this matter it would be very kind.

            Comment


            • #7
              Originally posted by shani572 View Post
              I need to demonstrate the shibboleth in my university, i have a access to my university apache server using virtual enviroment, can anybody tell me, that is it possible to configure the Apache and tomcat server in the virtual enviroemtn for the shibboleth, i mean to say using the mln tool to use the UML(user-mode linux) instances, would it work for me to demonstrate in this enviroment. if anybody can help me in this matter it would be very kind.
              This isn't anything to do with Acegi Security. Please refer to the Shibboleth documentation and use the relevant Shibboleth mailing lists for any questions you might have.

              Comment


              • #8
                No Information about Acegi with Shibboleth

                I have to find out how to integrate shibboleth with acegi, but I have no idea where to start with.

                I googled a lot, but I couldn't find any information about it (except this thread).

                Thank you very much for any further information!

                Comment


                • #9
                  Originally posted by dp3 View Post
                  In order to integrate with shibboleth, we just created a custom authentication processing filter that retrieves the remoteUser from the request, creates the Authentication object, and populates the SecuritContextHolder context. We're not using the Shibboleth-supplied credentials (other than remote user) for roles. We use the remote user to retrieve a list of roles from the database.

                  Not sure if it's 100% correct way to do things, but it works.

                  Note: we're using Apache for shibboleth integration and not the shibboleth java filter (don't even know if that's available yet)
                  I tried to do the same thing for pubcookie/acegi integration, but remoteUser was always null when I called getRemoteUser() from the filter I wrote. I could see that apache was passing REMOTE_USER via mod_jk to tomcat in debug logs, so I assumed the Spring framework was clearing it. Can you provide an example of your application context? I suspect I had something configured incorrectly.

                  Thank you,

                  Dave

                  Comment


                  • #10
                    Originally posted by dave64 View Post
                    I tried to do the same thing for pubcookie/acegi integration, but remoteUser was always null when I called getRemoteUser() from the filter I wrote. I could see that apache was passing REMOTE_USER via mod_jk to tomcat in debug logs, so I assumed the Spring framework was clearing it. Can you provide an example of your application context? I suspect I had something configured incorrectly.
                    Make sure you have tomcatAuthentication="false" on your AJP connector in server.xml http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html

                    Comment


                    • #11
                      Originally posted by willnorris View Post
                      Make sure you have tomcatAuthentication="false" on your AJP connector in server.xml http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html
                      Hi willnorris,

                      Thanks for the pointer, since at this point any advice is welcome. Unfortunately, this is something I'm already aware of, and I'm confident that I have apache/mod_jk/tomcat properly configured. I even confirmed this by writing a tiny servlet that does nothing more than display the result of calling getRemoteUser() to confirm that REMOTE_USER is being properly passed. I'm quite certain that I just had a problem in my application content, because even after hard-coding my credentials in the filter I wrote, authentication was still failing.

                      Up to this point, every attempt I've made to modify the default pentaho authentication configuration has resulted in either null credentials, or a complete failure of the application to start.

                      Thanks for your help, though.

                      Dave

                      Comment


                      • #12
                        Perhaps if you posted your filter configuration someone can work out what's wrong. Otherwise it's pretty much guesswork.

                        If getRemoteUser() is returning null, why don't you insert a filter before the Acegi stack to check its value there. You could then insert your filter wherever you want in the stack and work out where/if the value changes.

                        Comment


                        • #13
                          Originally posted by Luke View Post
                          Perhaps if you posted your filter configuration someone can work out what's wrong. Otherwise it's pretty much guesswork.

                          If getRemoteUser() is returning null, why don't you insert a filter before the Acegi stack to check its value there. You could then insert your filter wherever you want in the stack and work out where/if the value changes.
                          Hi Luke,

                          My unsuccessful pubcookie/acegi attempt was already passed by the time I read this thread, and our configuration now doesn't attempt pubcookie so I currently have nothing to post. With the knowledge that this should work, I plan to start back down this path. Once I have it configured and not working, I'll post what I have. Again, many thanks for your offer to assist. I'd be extremely happy to see this working and will be posting configuration information soon.

                          Thanks,

                          Dave

                          Comment


                          • #14
                            Check your AAP.xml file to see which attribute is set for remote user and make sure that the idp releases that required attribute.

                            Comment

                            Working...
                            X