Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Shibboleth and Grouper

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Shibboleth and Grouper


Chronological Thread 
  • From: "Klug, Lawrence" <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Shibboleth and Grouper
  • Date: Mon, 29 Aug 2011 14:03:53 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

Chris,

We have edupersonprincipalname in the LDAP directory that is probably what I
need to use. It is a concatenation of the uclalogonid with @ucla.edu.

Thanks,

Lawrence

-----Original Message-----
From: Chris Hyzer
[mailto:]

Sent: Monday, August 29, 2011 12:31 PM
To: Klug, Lawrence
Cc:

Subject: RE: [grouper-users] Shibboleth and Grouper

You need to be able to lookup like this in gsh:

SubjectFinder.findByIdOrIdentifier("
", true)

is eppn an attribute in ldap? If not, you should be able to do a virtual
attribute which is a concatenation of the netid with @ucla.edu if that makes
sense (i.e. everyone with a netid has an eppn, etc)

Thanks,
Chris


-----Original Message-----
From: Klug, Lawrence
[mailto:]
Sent: Monday, August 29, 2011 3:09 PM
To: Chris Hyzer
Cc:

Subject: RE: [grouper-users] Shibboleth and Grouper

I configured the search to include uclaLogonID identifier(see below). In the
grouper shell, the search works, but when Shibboleth redirects, I still get
an error or I get kicked back to the login page. Any ideas?

gsh 0% SubjectFinder.findByIdOrIdentifier("isistestidsix", true)
subject: id='urn:mace:ucla.edu:ppid:person:311B17E1507245CBAE6048DB8F62628D'
type='person' source='ldap' name='TEST-EDIMI, SIX'

> Error:
> * Cant find login subject:
> ,
> ADMIN_UI

<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>

(&amp;(|(uclaPPID=%TERM%)(uclaLogonID=%TERM%))(objectClass=person))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=edtest,dc=ucla,dc=edu
</param-value>
</param>
</search>

-----Original Message-----
From:


[mailto:]
On Behalf Of Klug, Lawrence
Sent: Monday, August 29, 2011 8:31 AM
To: Chris Hyzer
Cc:

Subject: RE: [grouper-users] Shibboleth and Grouper

>>You can add an identifier that refers to the subject (e.g. netId,
>>and/or eppn) in the sources.xml

I would like to add an additional identifier "uclaLogonID" (eppn) but I'm not
sure exactly how to do this. Must be in the LDAP block of sources.xml?

Thanks,

Lawrence

-----Original Message-----
From: Chris Hyzer
[mailto:]
Sent: Friday, August 26, 2011 7:54 PM
To: Peter DiCamillo; Klug, Lawrence
Cc:

Subject: RE: [grouper-users] Shibboleth and Grouper

Either that, or make sure the eppn is an identifier for the subject. i.e.

gsh 0%
SubjectFinder.findByIdOrIdentifier("",
true)

returns the subject. You can add an identifier that refers to the subject
(e.g. netId, and/or eppn) in the sources.xml

This is a confusing part of the subject API. There is one ID (which at Penn
is the PennID, e.g. 12345678), and multiple identifiers (which doesn't have
to include the ID). At Penn this is the PennName/PennKey: jsmith, and the
eppn:


thanks,
Chris

-----Original Message-----
From:


[mailto:]
On Behalf Of Peter DiCamillo
Sent: Friday, August 26, 2011 9:02 PM
To: Klug, Lawrence
Cc:

Subject: Re: [grouper-users] Shibboleth and Grouper

I'm not sure if this applies in your situation, but what works well for me is
to pass the attribute that is being used as the subject id in Grouper. That
allows Grouper to lookup the subject very quickly.

Peter

Klug, Lawrence wrote:
> Okay, we've got Shibboleth working - the only issue now is what to pass in
> REMOTE_USER. I added a member to the Wheel group that exists in the LDAP
> directory but when logging in we get the error:
>
> Error:
> * Cant find login subject:
> ,
> ADMIN_UI
> * If you continue to encounter errors, please contact technical support.
> I saw in your cloud example that you pass REMOTE_USER="eppn persistent-id
> targeted-id"
>
> How does that translate to our environment?
>
> Thanks,
>
> Lawrence
>
> -----Original Message-----
> From: Chris Hyzer
> [mailto:]
> Sent: Wednesday, August 24, 2011 10:22 PM
> To:
> ;
>
> ;
> Klug,
> Lawrence
> Subject: RE: [grouper-users] Shibboleth and Grouper
>
> OK, I never understood why these changes were needed, but now I get it. Im
> used to not having the anonymously accessible information page, if you
> aren't authenticated, you aren't allowed in at all. One of the other
> enablers of this is to set:
>
> login=Start
>
> in the custom nav.properties so that once the user is logged in, and
> looking at the info page, it says "Start", instead of "Log in". Btw,
> I have a directory in the UI: grouperExternal/public which can easily
> not be protected by authn (if you have external user registrations, it
> wont work if its not), maybe we should change the info page to be a
> static HTML page there, or something else (dynamic page there). Well,
> if the UI is redone in 2.2 we can worry about it then :)
>
> Thanks,
> Chris
>
>
> -----Original Message-----
> From:
>
> [mailto:]
> On Behalf Of
>
> Sent: Wednesday, August 24, 2011 3:33 AM
> To:
> ;
>
>
> Subject: Re: [grouper-users] Shibboleth and Grouper
>
> Hi,
>
> Further to Chris' email, at Newcastle University we have also Shibbolised
> our Grouper install. The following page documents some of the steps that we
> took to Shib protect both the main Admin UI and the Lite UI.
>
> https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Pr
> otecting
> +UI+With+Shib
>
> I hope they are helpful.
>
> Thanks
>
> Richard James
> Infrastructure Systems Administrator
> ISS Systems Architecture
> Newcastle University




Archive powered by MHonArc 2.6.16.

Top of Page