Grouper Users - Open Discussion List

[David Langenberg <>]

Hi Rob,

Looking at it, it seems your IdP has not released ePPN to your SP.  That
looks more like an eduPersonTargetedId.  I'd first take a look at your
attribute-filter.xml on the IdP to ensure your Grouper SP is getting the
necessary attributes.  Then ensure that your attribute-map.xml in the
Grouper SP is setup to properly map them.  Finally be sure that in the
Grouper SP shibboleth2.xml you define remote_user to include the correct
attribute.

In our install here, we send UID from the IdP and map that to
REMOTE_USER in the SP.

As for grouper-shib.jar in maven.  What that does is provide a way to
plug grouper into the Shibboleth IdP Attribute Resolver.  It's used
primarily by the Grouper PSP (and can be used by the Shib IdP).

Dave

At 2013.05.09.13.39, in 
<>,
        "Rob Gorrell" 
<>
 wrote:
>    I was wondering if there were any good soup-to-nuts references for the
>    novice Grouper user in controlling Grouper UI authentication using
>    Shibboleth? I'm working on a first time Grouper deployment and was
>    interested with the notion of using shibb as the authentication mechanism
>    to the UI. I had hoped the path would be a little more straightforward
>    with where these two products come from, but then again, Grouper (and 
> even
>    shibb) are still pretty new to me.
> 
>    I found the Newcastle wiki material
>    
> (https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib)
>    as well as the notes in the Grouper Hosted on a Cloud
>    
> (https://spaces.internet2.edu/display/Grouper/Grouper+Hosted+on+a+Cloud+Server)
>    about using shibb with grouper and with this, have been successful in
>    setting up an SP that is protecting my Group UI instance, redirecting me
>    to my IdP, authenticating me and dumping me back at the Grouper UI with 
> an
>    established shibb session, but then Grouper UI is telling me "Error: Cant
>    find login subject
>    
> https://idp-d.uncg.edu/idp/shibboleth!https://dlx-grouperui.uncg.edu/shibboleth!GN9trT6dTIQDtXiFAgiIlrV1xts=,
>    ADMIN_UI".
> 
>    What I seem to be missing (and doesn't seem explained in the Newcastle
>    article) is how to map the shibb eppn + attributes into the Grouper
>    $REMOTE_USER so that shibb user is identified and matched to a grouper
>    subject? I also was stumbling across some information about
>    grouper-shib.jar over at Maven... is that possibly where this component
>    comes into play?
> 
>    I was hoping someone might be able to give me a conceptual high level
>    direction of whats involved in shibbolizing the UI geared at those that
>    aren't experts in either grouper or shibboleth... or is this road I've
>    embarked down not for the faint of heart?
> 
>    Thanks,
>    -Rob
> 
>    --
>    Robert W. Gorrell
>    Middleware Engineer, Identity and Access Management
>    University of NC at Greensboro
>    336-334-5954
[End of excerpt from 
<>]

-- 
David Langenberg
Identity & Access Management
The University of Chicago