Shibboleth Developers

[Simon McLeish <>]

Hi all,

I've recently put together some brief comments on experiences I had
installing a Shib origin and configuring it to work with a variety of
federations. There are some ideas for things that might be done to make
life easier in future (which is why they're being posted on these lists)
- comments are welcome. 

Cheers,
Simon

Generally, everything proceeded according to the install guide, with
help from the install checklist. However, there were two problems which
seriously delayed the implementation of the origin software on this
machine.

Tomcat version

The original version of Tomcat installed on the machine was 4.1.30. The
problem encountered was that the Apache web server was failing to pass
the http environment variables (which crucially include the userID used
to authenticate to Shibboleth) to Tomcat, resulting in Shibboleth
rejecting access because the user appeared not to have logged in. The
various install guides (http://shibboleth.internet2.edu/guides/deploy-
guide-origin1.2.1.html; http://shibboleth.internet2.edu/guides/identity-
provider-checklist.html) and searches on the shib-users mailing list
reveal a variety of configuration changes suggested to resolve this
issue, all of which failed to solve the problem and which between them
caused considerable confusion. (Which is/are right? Might combining them
make some of them fail?) Replacing the Tomcat configuration with a
working file from another site also failed to solve the problem, but by
producing different errors (that the file syntax was considered invalid)
suggested the eventual solution, to install a more recent Tomcat version
- 5.0.30. (See my resolution message to the list -
https://mail.internet2.edu/wws/arc/shibboleth-
users/2004-12/msg00039.html, which includes a pointer to the relevant
Tomcat bug report.) The process of doing this revealed why an out of
date version of Tomcat had been installed on the machine in the first
place - at the time, the download page on the software web site
(http://jakarta.apache.org/site/binindex.cgi - still not the simplest
site to understand) incorrectly implied that Tomcat 5 software was in
beta.

Recommendations: Encourage Shibboleth team to ensure that apparently
official (i.e. endorsed by the Shibboleth web site) documentation is
consistent. (This may well be a simple outcome of the Wiki-based
documentation now being produced.)
Create a document (to be housed on the Wiki?) which links error messages
to mailing list messages describing a working resolution of the problem

Ensuring correct data passed between target/origin sites

The second problem was that nobody was quite clear exactly what a target
site needs to know about an origin site in order to trust it, and vice
versa. This is partly because of a lack of experience generally with
setting up the connection between a target and an origin (using the
default InQueue federation is far easier, because everything is built in
and it is explained with reference to this federation in the
installation documentation), and partly because the documentation is not
too helpful. A clear and simple checklist of precisely what is needed to
do this at each end would probably be an extremely useful document. The
SDSS federation were most helpful here, because they had already set up
targets and origins within their own federation.

Recommendations: Create a simple document listing the requirements for
setting up trust between origin and target. This should be aimed at
those intending to share resources outside federations, as this is the
more difficult task (federations will tend to have more user-friendly
ways to do this, such as downloadable metadata).

-- 
Simon McLeish 
<>
London School of Economics