Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2013-02-12

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
14:04 _ilbot joined #shibboleth
14:05 gain I have a problem with the dot '.' character in password
14:05 gain I use shibboleth with ldap
14:05 moritz left #shibboleth
14:06 gain and dunno if is a shibboleth fault or a ldap fault...
14:07 gain any hint?
14:07 pdurbin gain: the founder of this channel is "freenode-staff" i think this means no one has control. are you willing to leave it for a little while until i can register it?
14:08 gain pdurbin: ok... c u later
14:08 pdurbin gain: thanks!
14:08 gain left #shibboleth
14:08 pdurbin left #shibboleth
14:10 _ilbot joined #shibboleth
14:10 ChanServ left #shibboleth
14:15 simong joined #shibboleth
14:36 _ilbot joined ##shibboleth
14:36 Topic for ##shibboleth is now http://shibboleth.net | logs at http://irclog.perlgeek.de/shibboleth/today
14:41 pdurbin for anyone reading this in the future and wondering what's going on with #shibboleh vs. ##shiboleth, please see http://irclog.perlgeek.de/​ilbot/2013-02-12#i_6442579 :)
15:00 simong joined ##shibboleth
15:18 pdurbin looks like there was some interest in an IRC channel at some point: https://lists.internet2.edu/sympa/arc/​shibboleth-users/2007-05/msg00225.html
15:19 langedb joined ##shibboleth
15:19 pdurbin anyway, i just started this channel. if anyone wants to get in touch, my contact info is at http://greptilian.com
15:20 pdurbin I didn't see any objections to starting an IRC channel at http://shibboleth.net/pipermail/​users/2013-February/008035.html
15:21 pdurbin So I sent the following announcement to the shib mailing list: Announcing ##shibboleth, a new IRC channel on irc.freenode.net (publicly logged) - http://shibboleth.net/pipermail/​users/2013-February/008097.html
15:23 ChuckTesta joined ##shibboleth
15:24 ChuckTesta left ##shibboleth
15:25 humanoide joined ##shibboleth
15:25 ChuckTesta joined ##shibboleth
15:34 humanoide joined ##shibboleth
15:36 gain joined ##shibboleth
15:52 pdurbin gain: welcome back :)
15:53 gain pdurbin: thanks for the query
15:54 pdurbin gain: hmm? query?
15:55 gain / query gain
15:57 pdurbin ah. sure. sorry to kick you out: http://irclog.perlgeek.de/​ilbot/2013-02-12#i_6442665 ;)
15:58 gain np
15:59 pdurbin gain: actually, your question got logged already: http://irclog.perlgeek.de/shi​bboleth/2013-02-12#i_6442652
15:59 pdurbin you can't use a dot in a password, huh?
16:01 gain y, if I the password setted in LDAP has a dot in it, shibboleth say me "Authentication failed"
16:02 gain *if the pass
16:05 pdurbin hmm. dunno. sorry. i'm quite new to shib
16:14 langedb can you bind to LDAP directly with that password?  I only ask because I have a . in mine & our IdP works fine
16:20 gain My idp is quite old, version 2.2.1
16:21 langedb you may want to upgrade then, there's some security vulns in that version
16:21 langedb https://wiki.shibboleth.net/c​onfluence/display/SHIB2/Home
16:21 langedb https://wiki.shibboleth.net/confluen​ce/display/SHIB2/SecurityAdvisories
16:22 gain langedb: problem with configuration with newer versions... I have to study them
16:41 ekendall joined ##shibboleth
16:42 gain bye
16:48 zico joined ##shibboleth
16:48 zico Hello guys!
16:48 Guest26441 this is the first shib IRC, I guess? :)
16:50 langedb I guess
17:09 ChuckTesta joined ##shibboleth
17:09 simong If an EncryptedAssertion contains a signature, is that signature for the original EncryptedAssertion, for the decrypted Assertion, for the original SamlResponse (with the encrypted assertion) or for the samlresponse (with the decrypted assertion) ?
17:58 pdurbin Guest26441: yes, first shib IRC from what i can tell: http://irclog.perlgeek.de/shi​bboleth/2013-02-12#i_6443249
18:06 pdurbin "I was going to suggest SimpleSAML also as an easier IdP to play with" -- http://www.evanchooly.com/l​ogs/%23glassfish/2013-02-07
18:06 pdurbin has anyone used http://simplesamlphp.org as an IdP for testing?
18:07 langedb we use SSP as our Social -> SAML gateway
18:07 langedb we being uchicago
18:07 pdurbin SSP?
18:07 langedb Simple SAML PHP
18:07 pdurbin duh. thanks :)
18:08 langedb it's ok, but can be a real resource hog if you try to do things like load InCommon's metadata into it
18:08 pdurbin i just need something to test with. so far i've been using http://testshib.org
18:09 langedb https://spaces.internet2.edu/display/Shib​InstallFest/Shibboleth+Workshop+Series+-+​Linux+Identity+Provider+%28Centos+6.2%29 <— link to a VM with an IdP installed & instructions
18:10 pdurbin hmm, very interesting. thanks
18:10 langedb it's a nice little IdP in a box with ldap and everything you need
18:11 pdurbin oh yes, i love little VMs for testing: https://github.com/dvn/shibpoc
18:11 langedb yep
18:11 pdurbin hmm, this thing is vmware and i've been using virtualbox for everything
18:12 langedb http://www.howtogeek.com/125640/how-to-convert-​virtual-machines-between-virtualbox-and-vmware/
18:12 langedb although player is free
18:13 pdurbin interesting
18:13 pdurbin i wonder if installing vmware on my mac would break my virtualbox
18:13 * langedb has them both installed
18:13 pdurbin heh. ok
18:13 langedb granted I've never tried running both virtualization systems at the same time
18:22 pdurbin langedb: i'm being told it's fine: http://irclog.perlgeek.de/cr​imsonfu/2013-02-12#i_6444070
19:02 simong joined ##shibboleth
19:35 ekendall I'm using chef to build IdPs. one of these days I'll release the cookbook if anyone else is interested
19:35 ekendall not quite as turn-key as a VM, though - you'd need to bring your own LDAP, etc.
19:36 pdurbin ekendall: are you using Vagrant too?
19:36 ekendall no, hadn't heard of it. I'm using AWS
19:38 pdurbin i think of vagrant as a staging area (on my laptop) before deploying to AWS (or similar): https://github.com/pdurbin/greptilian-vagrant
19:38 pdurbin i'm using puppet but chef would work fine too, of course
19:40 pdurbin somebody here has already stood up an IdP, i think. or maybe i can continue testing against http://testshib.org for now
19:41 pdurbin our app runs on glassfish and I'm thinking about trying to use http://openam.forgerock.org with it. our app will be an SP, not an IdP
19:43 pdurbin ekendall: to learn about chef and vagrant i recommend my friend's https://github.com/agoddard/the-su​per-mini-one-click-chef-solo-apach​e-demo-that-just-uses-vagrant-up- :)
19:46 simong joined ##shibboleth
19:59 langedb pdurbin: just grep shib-users first about openam.  I remember a few threads about folks having interop issues.
20:06 pdurbin :(
20:07 langedb that doesn't mean you shouldn't use OpenAM, just that you should look at the archives & identify the pain points & either make your use of OpenAM avoid it, or be prepared with the solutions your Shibboleth IdP operators will need to integrate with you.
20:09 pdurbin langedb: right. well, tomorrow i'm hoping to find out more about people who run our app and have a production IdP: http://irclog.iq.harvard.edu/dvn/2013-02-12#i_689
20:11 langedb though since this is #shibboleth, why not use the Shib SP?
20:14 langedb yes, I know that'd mean front-ending your glassfish install with Apache
20:17 pdurbin langedb: i'm open to that. if it works
20:17 langedb I don't see why it wouldn't
20:18 pdurbin so right now glassfish is on port 80. how would it work with apache in the mix
20:18 langedb you'd setup apache to listen on 80
20:18 langedb then setup glassfish the same way you'd setup tomcat — with AJP
20:18 * pdurbin googles
20:19 langedb http://weblogs.java.net/blog/amyroh/archive/2012​/02/15/running-glassfish-312-apache-http-server
20:19 pdurbin hmm. interesting
20:20 langedb that's how we do all our java apps here, granted we use Tomcat rather than glassfish for the container, but Apache+mod_shib handles all the AuthN stuff
20:39 pdurbin langedb: ok. i have a simple hello world glassfish app that i'm itching to put some shib stuff into: https://github.com/IQSS/iqss-javaee-template ... I'll either try your thing or OpenAM (or both)
21:00 langedb good luck
21:01 ekendall nth-ing apache+mod_shib+ajp
21:01 ekendall I've never actually worked with a native java SP
21:25 simong joined ##shibboleth
21:57 humanoide left ##shibboleth
22:33 simong Does anyone know of another publicly available IdP that you can (hassle-free) register your SP with besides testshib.org ?
22:34 simong I've integrated Shib with our node.js app and like to verify with some other endpoints as well (I can't seem to get the IdP running on my VM :( )
22:36 langedb are you affiliated with any institutions which run an IdP and are members of a federation?
22:38 langedb US HigherEd Federation IdPs: https://incommon.org/federa​tion/info/all-entities.html
22:39 langedb there's federations all over the world, so you may have a local one.   You could ask your institution to put your SP into the federation & then solicit testers
22:54 simong Yes, we'll be joining the Cambridge Federation (and possible the UK) but I'd like to try it against some more devvy IdPs before I go pestering our IT department
22:54 langedb aah, yeah, sorry, I'm only aware of testshib
22:58 simong no worries, I'll continue using testshib and try to get the IdP up and running in a VM

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary