Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth


Chronological Thread 
  • From: David Langenberg <>
  • To: Rob Gorrell <>
  • Cc:
  • Subject: Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth
  • Date: Thu, 9 May 2013 13:54:19 -0600
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

Hi Rob,

Looking at it, it seems your IdP has not released ePPN to your SP. That
looks more like an eduPersonTargetedId. I'd first take a look at your
attribute-filter.xml on the IdP to ensure your Grouper SP is getting the
necessary attributes. Then ensure that your attribute-map.xml in the
Grouper SP is setup to properly map them. Finally be sure that in the
Grouper SP shibboleth2.xml you define remote_user to include the correct
attribute.

In our install here, we send UID from the IdP and map that to
REMOTE_USER in the SP.

As for grouper-shib.jar in maven. What that does is provide a way to
plug grouper into the Shibboleth IdP Attribute Resolver. It's used
primarily by the Grouper PSP (and can be used by the Shib IdP).

Dave

At 2013.05.09.13.39, in
<>,
"Rob Gorrell"
<>
wrote:
> I was wondering if there were any good soup-to-nuts references for the
> novice Grouper user in controlling Grouper UI authentication using
> Shibboleth? I'm working on a first time Grouper deployment and was
> interested with the notion of using shibb as the authentication mechanism
> to the UI. I had hoped the path would be a little more straightforward
> with where these two products come from, but then again, Grouper (and
> even
> shibb) are still pretty new to me.
>
> I found the Newcastle wiki material
>
> (https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib)
> as well as the notes in the Grouper Hosted on a Cloud
>
> (https://spaces.internet2.edu/display/Grouper/Grouper+Hosted+on+a+Cloud+Server)
> about using shibb with grouper and with this, have been successful in
> setting up an SP that is protecting my Group UI instance, redirecting me
> to my IdP, authenticating me and dumping me back at the Grouper UI with
> an
> established shibb session, but then Grouper UI is telling me "Error: Cant
> find login subject
>
> https://idp-d.uncg.edu/idp/shibboleth!https://dlx-grouperui.uncg.edu/shibboleth!GN9trT6dTIQDtXiFAgiIlrV1xts=,
> ADMIN_UI".
>
> What I seem to be missing (and doesn't seem explained in the Newcastle
> article) is how to map the shibb eppn + attributes into the Grouper
> $REMOTE_USER so that shibb user is identified and matched to a grouper
> subject? I also was stumbling across some information about
> grouper-shib.jar over at Maven... is that possibly where this component
> comes into play?
>
> I was hoping someone might be able to give me a conceptual high level
> direction of whats involved in shibbolizing the UI geared at those that
> aren't experts in either grouper or shibboleth... or is this road I've
> embarked down not for the faint of heart?
>
> Thanks,
> -Rob
>
> --
> Robert W. Gorrell
> Middleware Engineer, Identity and Access Management
> University of NC at Greensboro
> 336-334-5954
[End of excerpt from
<>]

--
David Langenberg
Identity & Access Management
The University of Chicago




Archive powered by MHonArc 2.6.16.

Top of Page