Shibboleth Developers

[Olivier Salaun - CRU <>]

Hi,

We have started integrating Shibboleth with our mailing lists manager, 
Sympa (http://www.sympa.org/) and we had some talks with Steven Carmody 
about it. Steven asked me to present the proposed design for this 
integration in this list, for to get your opinion and suggestions on it.

Sympa has been designed from  the beginning (1998) with authentication 
and authorization processes separated (good start isn't it ?). 
Authentication methods (password or X509 certs based) are used on both 
mail and web interface. An LDAP backend is available and we recently 
introduced CAS Single Sign-on (from Yale university). The authorization 
process uses our home-made ACLs (called authorization scenarios) and 
provides access control for each action within Sympa (subscribing, 
reviewing subscribers, archives access, ...). Sympa uses a RDBMS (MySQL, 
Pg, Oracle, ...) for storing both subscriptions information and user 
preferences ; the user prefs table also contains the encrypted user 
password if  not using and LDAP backend (or an SSO).

Sympa could use Shibboleth service to :
   1/ authenticate a user at his/her home organisation (origin)
   2/ get some user attributes that could be used in its autorization 
process

(1) means for us getting, directly or indirectly, an email address 
because that's what is useable by a mailing list manager.
Sympa would create a user pref entry if none exist for the authenticated 
user. This entry would obviously have no password defined but would 
contain the received user attributes for later use within the login session.

Steven was concerned about users using different email addresses, 
including email addresses not known by Shibboleth.
Sympa is able to cope with alternate email addresses ; a user can 
declare his/her other email addresses on Sympa web interface. Alternate 
email is stored in an HTTP cookie, which of course, is a dirty solution. 
But we'll move these data to the user pref DB table shortly.

We already have a demo version running but we have some problems with 
the WAYF not redirecting to the correct URL (missing port number). The 
problem is obviously in the WAYF form that has lost the port number in 
the "target" variable (see below). Strangely the GET URL to the WAYF was 
correct (see below). Might this be a configuration problem on our target 
shib ?

You can still have a try with this shib-ified Sympa :
http://www.cru.fr:8080/wws

Thanks.

Here is the WAYF accessed URL :
https://wayf.internet2.edu/InQueue/WAYF?shire=http%3A%2F%2Fwww.cru.fr%3A8080%2FSHIRE&target=http%3A%2F%2Fwww.cru.fr%2Fwws%2Fsso_login%2Finqueue

Here is a piece of the WAYF HTML code ;

<form method="get" action="/InQueue/WAYF">
 <input type="hidden" name="shire" value="http://www.cru.fr:8080/SHIRE"; />
 <input type="hidden" name="target" 
value="http://www.cru.fr/wws/sso_login/inqueue"; />
 <input type="hidden" name="action" value="selection" />
 <select name="origin"> 
 [...]
                                


Thanks.

--
Olivier Salaun
CRU - French Universities Network Team
http://www.cru.fr