| Time |
S |
Nick |
Message |
| 01:58 |
|
|
ChuckTesta joined ##shibboleth |
| 09:50 |
|
|
simong joined ##shibboleth |
| 13:27 |
|
pdurbin |
simong: sounds like we're working on similar stuff... trying to point our apps at an IdP |
| 13:28 |
|
simong |
That's what we're doing |
| 13:28 |
|
simong |
and I think we've succesfully did that |
| 13:28 |
|
simong |
albeit a bit hackish |
| 13:28 |
|
pdurbin |
ah. cool. yes, you said "integrated". past tense: http://irclog.perlgeek.de/shib[…]3-02-12#i_6445185 :) |
| 13:29 |
|
pdurbin |
good job :) |
| 13:29 |
|
simong |
thanks |
| 13:29 |
|
simong |
Are you struggling with anything? |
| 13:29 |
|
pdurbin |
well |
| 13:29 |
|
pdurbin |
i feel like there are a few directions i can go in |
| 13:31 |
|
pdurbin |
so far i've only done the "hello world" example from http://testshib.org ... i'm using https://github.com/dvn/shibpoc to configure an SP using mod_shib and protecting a folder ( https://dvn-vm2.hmdc.harvard.edu/secure/ ) behind a login page at https://idp.testshib.org/idp/Authn/UserPassword |
| 13:32 |
|
pdurbin |
and it works fine |
| 13:32 |
|
pdurbin |
but now I need to actually integrate it into our Java EE Glassfish app: https://github.com/iqss/dvn |
| 13:32 |
|
|
humanoide joined ##shibboleth |
| 13:33 |
|
pdurbin |
and many helpful people have given me some ideas of what to try next |
| 13:33 |
|
simong |
I don't have any experience with that kind of setup but there seems to be a lot of documentation floating around to do that |
| 13:33 |
|
simong |
afaict that should all work out of the box? |
| 13:34 |
|
pdurbin |
one of our devs has used Glassfish with OpenAM: http://openam.forgerock.org ... so I might try that since he's two doors down from me. I might try to put that into a simple testing app I use: https://github.com/IQSS/iqss-javaee-template |
| 13:35 |
|
pdurbin |
but yesterday folks in this channel suggested fronting Glassfish with apache+mod_shib+ajp per http://weblogs.java.net/blog/a[…]pache-http-server |
| 13:36 |
|
pdurbin |
it was suggested here: http://irclog.perlgeek.de/shib[…]3-02-12#i_6444574 |
| 13:36 |
|
simong |
yea that would be the way I go as well |
| 13:36 |
|
simong |
Those are tried and tested |
| 13:37 |
|
simong |
We didn't have that luxury unfortunately and had to roll our own, but I wouldn't recommend that to anyone |
| 13:37 |
|
pdurbin |
ok. a guy in #glassfish was telling me to not even use shib at all. that he uses a "SAML2 Servlet Filter" ... something like this maybe: http://maniagnosis.crsr.net/20[…]rvlet-filter.html |
| 13:38 |
|
pdurbin |
there's some sample code at http://code.google.com/p/websso/ that builds on top of OpenSAML: https://wiki.shibboleth.net/co[…]ay/OpenSAML/Home/ |
| 13:39 |
|
simong |
That's essentially what we did |
| 13:39 |
|
simong |
but you have to know what you're doing |
| 13:39 |
|
pdurbin |
yeah |
| 13:39 |
|
simong |
Stuff like anti replay detection etc |
| 13:39 |
|
pdurbin |
and i don't... yet anyway :) |
| 13:39 |
|
pdurbin |
so are you using shib or not? |
| 13:40 |
|
pdurbin |
my chat in #glassfish is at http://www.evanchooly.com/logs[…]ssfish/2013-02-07 and my summary is at http://irclog.iq.harvard.edu/dvn/2013-02-07#i_598 |
| 13:41 |
|
simong |
Our setp is as follows: nginx load balances requests over a cluster of node.js apps |
| 13:41 |
|
simong |
the node.js app constructs the SAML authnrequest and redirects the user to the IdP |
| 13:42 |
|
simong |
when the user comes back node takes the SAMLResponse parameter, hands it to a java utility that decrypts it and hands it back to node |
| 13:42 |
|
simong |
from where we pick out the attributes we might need |
| 13:42 |
|
simong |
so no, we're not using the shibboleth SP or mod_shib |
| 13:42 |
|
simong |
but now we have to construct the SP metadata.xml to register with the IdP |
| 13:42 |
|
simong |
so it's not exactly ideal |
| 13:43 |
|
pdurbin |
ok. yeah, your story sounds a lot like what the guy from #glassfish is doing. thanks |
| 13:43 |
|
pdurbin |
he said "we leverage OpenSaml like everyone else" ... do you? :) |
| 13:44 |
|
simong |
Yea, the java util uses opensaml |
| 13:44 |
|
simong |
We briefly looked at porting the relevant bits to node, but that would take way too much effort |
| 13:44 |
|
pdurbin |
ok. should we start a new channel? ... ##opensaml? :) |
| 13:46 |
|
pdurbin |
hmm, "OpenSAML is an open-source toolkit, in Java and C++, produced by the Shibboleth Consortium developers" -- https://wiki.shibboleth.net/co[…]ay/OpenSAML/OSFaq |
| 13:47 |
|
pdurbin |
if OpenSAML is made by the shibboleth devs it seems on topic for this channel :) |
| 14:41 |
|
|
simong joined ##shibboleth |
| 15:14 |
|
|
ChuckTesta joined ##shibboleth |
| 15:30 |
|
|
langedb joined ##shibboleth |
| 16:42 |
|
|
ChuckTesta joined ##shibboleth |
| 16:51 |
|
|
ChuckTesta1 joined ##shibboleth |
| 18:19 |
|
langedb |
well, here's the backstory on #shibboleth pdurbin https://lists.internet2.edu/sy[…]-05/msg00225.html |
| 18:24 |
|
pdurbin |
langedb: yep i linked to that at http://irclog.perlgeek.de/shib[…]3-02-12#i_6443979 but thanks |
| 18:25 |
|
|
langedb joined ##shibboleth |
| 18:31 |
|
pdurbin |
in half an hour everyone is welcome to attend a meeting #dvn here on freenode about shibboleth integration: http://irclog.iq.harvard.edu/dvn/2013-02-13#i_723 |
| 18:59 |
|
pdurbin |
don't all /join at once ;) |
| 20:21 |
|
|
simong joined ##shibboleth |
| 20:40 |
|
|
simongee joined ##shibboleth |
| 22:27 |
|
|
humanoide left ##shibboleth |
