Camelia, the Perl 6 bug

IRC log for #shibboleth, 2013-02-13

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:58 ChuckTesta joined ##shibboleth
09:50 simong joined ##shibboleth
13:27 pdurbin simong: sounds like we're working on similar stuff... trying to point our apps at an IdP
13:28 simong That's what we're doing
13:28 simong and I think we've succesfully did that
13:28 simong albeit a bit hackish
13:28 pdurbin ah. cool. yes, you said "integrated". past tense: http://irclog.perlgeek.de/shi​bboleth/2013-02-12#i_6445185 :)
13:29 pdurbin good job :)
13:29 simong thanks
13:29 simong Are you struggling with anything?
13:29 pdurbin well
13:29 pdurbin i feel like there are a few directions i can go in
13:31 pdurbin so far i've only done the "hello world" example from http://testshib.org ... i'm using https://github.com/dvn/shibpoc to configure an SP using mod_shib and protecting a folder ( https://dvn-vm2.hmdc.harvard.edu/secure/ ) behind a login page at https://idp.testshib.org/idp/Authn/UserPassword
13:32 pdurbin and it works fine
13:32 pdurbin but now I need to actually integrate it into our Java EE Glassfish app: https://github.com/iqss/dvn
13:32 humanoide joined ##shibboleth
13:33 pdurbin and many helpful people have given me some ideas of what to try next
13:33 simong I don't have any experience with that kind of setup but there seems to be a lot of documentation floating around to do that
13:33 simong afaict that should all work out of the box?
13:34 pdurbin one of our devs has used Glassfish with OpenAM: http://openam.forgerock.org ... so I might try that since he's two doors down from me. I might try to put that into a simple testing app I use: https://github.com/IQSS/iqss-javaee-template
13:35 pdurbin but yesterday folks in this channel suggested fronting Glassfish with apache+mod_shib+ajp per http://weblogs.java.net/blog/amyroh/archive/2012​/02/15/running-glassfish-312-apache-http-server
13:36 pdurbin it was suggested here: http://irclog.perlgeek.de/shi​bboleth/2013-02-12#i_6444574
13:36 simong yea that would be the way I go as well
13:36 simong Those are tried and tested
13:37 simong We didn't have that luxury unfortunately and had to roll our own, but I wouldn't recommend that to anyone
13:37 pdurbin ok. a guy in #glassfish was telling me to not even use shib at all. that he uses a "SAML2 Servlet Filter" ... something like this maybe: http://maniagnosis.crsr.net/201​0/10/saml2-servlet-filter.html
13:38 pdurbin there's some sample code at http://code.google.com/p/websso/ that builds on top of OpenSAML: https://wiki.shibboleth.net/con​fluence/display/OpenSAML/Home/
13:39 simong That's essentially what we did
13:39 simong but you have to know what you're doing
13:39 pdurbin yeah
13:39 simong Stuff like anti replay detection etc
13:39 pdurbin and i don't... yet anyway :)
13:39 pdurbin so are you using shib or not?
13:40 pdurbin my chat in #glassfish is at http://www.evanchooly.com/l​ogs/%23glassfish/2013-02-07 and my summary is at http://irclog.iq.harvard.edu/dvn/2013-02-07#i_598
13:41 simong Our setp is as follows: nginx load balances requests over a cluster of node.js apps
13:41 simong the node.js app constructs the SAML authnrequest and redirects the user to the IdP
13:42 simong when the user comes back node takes the SAMLResponse parameter, hands it to a java utility that decrypts it and hands it back to node
13:42 simong from where we pick out the attributes we might need
13:42 simong so no, we're not using the shibboleth SP or mod_shib
13:42 simong but now we have to construct the SP metadata.xml to register with the IdP
13:42 simong so it's not exactly ideal
13:43 pdurbin ok. yeah, your story sounds a lot like what the guy from #glassfish is doing. thanks
13:43 pdurbin he said "we leverage OpenSaml like everyone else" ... do you? :)
13:44 simong Yea, the java util uses opensaml
13:44 simong We briefly looked at porting the relevant bits to node, but that would take way too much effort
13:44 pdurbin ok. should we start a new channel? ... ##opensaml? :)
13:46 pdurbin hmm, "OpenSAML is an open-source toolkit, in Java and C++, produced by the Shibboleth Consortium developers" -- https://wiki.shibboleth.net/con​fluence/display/OpenSAML/OSFaq
13:47 pdurbin if OpenSAML is made by the shibboleth devs it seems on topic for this channel :)
14:41 simong joined ##shibboleth
15:14 ChuckTesta joined ##shibboleth
15:30 langedb joined ##shibboleth
16:42 ChuckTesta joined ##shibboleth
16:51 ChuckTesta1 joined ##shibboleth
18:19 langedb well, here's the backstory on #shibboleth pdurbin  https://lists.internet2.edu/sympa/arc/​shibboleth-users/2007-05/msg00225.html
18:24 pdurbin langedb: yep i linked to that at http://irclog.perlgeek.de/shi​bboleth/2013-02-12#i_6443979 but thanks
18:25 langedb joined ##shibboleth
18:31 pdurbin in half an hour everyone is welcome to attend a meeting #dvn here on freenode about shibboleth integration: http://irclog.iq.harvard.edu/dvn/2013-02-13#i_723
18:59 pdurbin don't all /join at once ;)
20:21 simong joined ##shibboleth
20:40 simongee joined ##shibboleth
22:27 humanoide left ##shibboleth

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary