Grouper Users - Open Discussion List

[Rob Gorrell <>]

I was wondering if there were any good soup-to-nuts references for the novice Grouper user in controlling Grouper UI authentication using Shibboleth? I'm working on a first time Grouper deployment and was interested with the notion of using shibb as the authentication mechanism to the UI. I had hoped the path would be a little more straightforward with where these two products come from, but then again, Grouper (and even shibb) are still pretty new to me. 

I found the Newcastle wiki material (https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib) as well as the notes in the Grouper Hosted on a Cloud (https://spaces.internet2.edu/display/Grouper/Grouper+Hosted+on+a+Cloud+Server) about using shibb with grouper and with this, have been successful in setting up an SP that is protecting my Group UI instance, redirecting me to my IdP, authenticating me and dumping me back at the Grouper UI with an established shibb session, but then Grouper UI is telling me "Error: Cant find login subject https://idp-d.uncg.edu/idp/shibboleth!https://dlx-grouperui.uncg.edu/shibboleth!GN9trT6dTIQDtXiFAgiIlrV1xts=, ADMIN_UI". 

What I seem to be missing (and doesn't seem explained in the Newcastle article) is how to map the shibb eppn + attributes into the Grouper $REMOTE_USER so that shibb user is identified and matched to a grouper subject? I also was stumbling across some information about grouper-shib.jar over at Maven... is that possibly where this component comes into play? 

I was hoping someone might be able to give me a conceptual high level direction of whats involved in shibbolizing the UI geared at those that aren't experts in either grouper or shibboleth... or is this road I've embarked down not for the faint of heart?

Thanks,
-Rob


--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954