Shibboleth Developers

[John-Paul Robinson <>]

Howdy.  Sorry to take so long in responding. Was out yesterday and had an 
apache config debugging day today. :(

The technical aspects are fairly straight forward.  As Peter noted in a
later email, the WhoAreYou OpenIdP is based on Drupal, a popular content
management system.  Being a stand alone CMS it comes with decent self
registration support for users.  Being a quality CMS it is very modular so
I can easily turn off everything I don't want users to use.  In this case,
the only thing I want is for people to create an identity with out admin
intervention.  You can create an id, get a password reminder, or set a
preferred password.  That's it.  All you need is an email address where
you can receive the password. (Maybe I'll offer more features later, don't
know.)

Drupal uses a SQL database (mysql) on the backend so this let's me do two
important things from the Shib perspective:  I can use it as the data
source for the AA in the shib set up and I can use the mod_auth_mysql to
verify the username/password for an HTTP basic auth.  I just set up a
standard shib IdP to hook into the drupal database and return the username
and email attributes to targets.

The HS is protected with the mod_auth_mysql.  This let's me use a the same
username/password that's in drupal but obviously the interface sucks.  
I'd really like to add webiso for this idp or some form-based authn front
end for the HS.  The webiso approach would make it easy to host these
tools on different machines.  I think if I rely on a drupal login to do
the authn for the HS, I'll need to get the HS in the namespace of the
drupal install.  I'll probably end up trying both. :)

The goal of all this is to have the equivalent of a "local" login
interface for systems environments to get around the "what if I don't have
shib" or "what if I want to create local accounts" issues.  The target
needs to be willing to accept the rather loose identities that get handed
out, but this isn't really all that different most self registration
sites. The quality of the identities could be improved significantly by
enabling moderated account creation in Drupal.  I just don't want to do
any work right now, so I'm not moderating identities. ;)

Hope this helps.  Let me know if there are any areas I can clarify.

~jpr

On Mon, 11 Jul 2005, Tom Scavo wrote:

> On 7/8/05, John-Paul Robinson 
> <>
>  wrote:
> > 
> > I've got my test open idp here:
> > 
> >  http://webapp.lab.ac.uab.edu/idp
> > 
> > You can get an identity and then use it participate in the test vo
> > environment here:
> > 
> >  http://webapp.lab.ac.uab.edu/sympa
> 
> John-Paul, would you mind describing the underlying technical aspects
> of your cool zero-admin IdP?
> 
> Thanks,
> Tom
>