Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Shibboleth and Grouper

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Shibboleth and Grouper

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Peter DiCamillo <>, "Klug, Lawrence" <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Shibboleth and Grouper
  • Date: Sat, 27 Aug 2011 02:54:28 +0000
  • Accept-language: en-US

Either that, or make sure the eppn is an identifier for the subject. i.e.

gsh 0%

returns the subject. You can add an identifier that refers to the subject
(e.g. netId, and/or eppn) in the sources.xml

This is a confusing part of the subject API. There is one ID (which at Penn
is the PennID, e.g. 12345678), and multiple identifiers (which doesn't have
to include the ID). At Penn this is the PennName/PennKey: jsmith, and the


-----Original Message-----

On Behalf Of Peter DiCamillo
Sent: Friday, August 26, 2011 9:02 PM
To: Klug, Lawrence

Subject: Re: [grouper-users] Shibboleth and Grouper

I'm not sure if this applies in your situation, but what works well for
me is to pass the attribute that is being used as the subject id in
Grouper. That allows Grouper to lookup the subject very quickly.


Klug, Lawrence wrote:
> Okay, we've got Shibboleth working - the only issue now is what to pass in
> REMOTE_USER. I added a member to the Wheel group that exists in the LDAP
> directory but when logging in we get the error:
> Error:
> * Cant find login subject:
> ,
> * If you continue to encounter errors, please contact technical support.
> I saw in your cloud example that you pass REMOTE_USER="eppn persistent-id
> targeted-id"
> How does that translate to our environment?
> Thanks,
> Lawrence
> -----Original Message-----
> From: Chris Hyzer
> [mailto:]
> Sent: Wednesday, August 24, 2011 10:22 PM
> To:
> ;
> ;
> Klug, Lawrence
> Subject: RE: [grouper-users] Shibboleth and Grouper
> OK, I never understood why these changes were needed, but now I get it. Im
> used to not having the anonymously accessible information page, if you
> aren't authenticated, you aren't allowed in at all. One of the other
> enablers of this is to set:
> login=Start
> in the custom so that once the user is logged in, and
> looking at the info page, it says "Start", instead of "Log in". Btw, I
> have a directory in the UI: grouperExternal/public which can easily not be
> protected by authn (if you have external user registrations, it wont work
> if its not), maybe we should change the info page to be a static HTML page
> there, or something else (dynamic page there). Well, if the UI is redone
> in 2.2 we can worry about it then :)
> Thanks,
> Chris
> -----Original Message-----
> From:
> [mailto:]
> On Behalf Of
> Sent: Wednesday, August 24, 2011 3:33 AM
> To:
> ;
> Subject: Re: [grouper-users] Shibboleth and Grouper
> Hi,
> Further to Chris' email, at Newcastle University we have also Shibbolised
> our Grouper install. The following page documents some of the steps that we
> took to Shib protect both the main Admin UI and the Lite UI.
> +UI+With+Shib
> I hope they are helpful.
> Thanks
> Richard James
> Infrastructure Systems Administrator
> ISS Systems Architecture
> Newcastle University

Archive powered by MHonArc 2.6.16.

Top of Page