Shibboleth Developers

[caleb racey <>]

Hi have seen that SPNEGO is tabled to be discussed on next DEV call so 
thought we would share our experiences as I think they might be relevant. 

We have some experience getting SPNEGO to work with shib in a "usable" 
manner. We are using CAS's SPNEGO support to provide login to a shib2 IDP. We 
would much rather use a login handler so we can support the shib2 flows 
(isPassive is particularly desirable) and reduce the complexity of our login 
stack.   

Our username password store is Active Directory so we rely on it's Kerberos 
support. In order for SPNEGO authentication to work, the client needs to be 
using a browser which supports SPNEGO. Internet Explorer is the only browser 
that supports and is configured to allow SPNEGO  "out of the box" - Firefox 
etc have to be configured to trust the server that is asking for the 
credentials. (about:config    then  network.negotiate-auth.trusted-uris if i 
remember correctly)  

IE + SPNEGO works well on user browsers on PCs joined to the campus Active 
Directory domain. 
However problems arise when Internet Explorer  is used from a machine not 
joined to the domain e.g. access from home computers, personal laptops etc.  
In these cases IE does not automatically trust the login server and has poor 
failover behaviour, instead of failing over to other login techniques like 
web forms it pops up the grey basic authentication box. This in unacceptable 
because the browser still displays the SPs address in the address bar, the 
user therefore can't see whether the SP has genuinely redirected them to the 
right IDP or if they are being spoofed. Firefox fails over nicely to present 
the user with the nice web form but we need to support IE.

To get true SSO +shib to work properly, logic needs to be used before 
deciding which login-technique  to present to the user. SPNEGO if they have 
Internet Explorer/are in a trusted domain i.e. "on campus", or else 
form-login if they don't meet these requirements.   This logic enables  fail 
over to proper web form login and not  the spoofable basic auth grey box 
authentication.

In order to achieve this  using CAS we now have 2 IDPs one  which ha CAS 
configured to  provide SPNEGO login support to the set of internal apps that 
require it, and another IDP with CAS and no spengo configured which handles 
all other logins.  On the SPs we use lazy sessions and application code to 
detect whether the user is on campus and using IE, then they get directed to 
the SPNEGO IDP if not they get the normal web form based one. 

This is admittedly a hacky inelegant solution to the problem, but it works. 
If a SPNEGO login handler is to be made it will likely need to incorporate 
logic that allows it to detect user agent strings ip-addresses etc and 
failover login to alternative methods.

Additionally as part of a JISC project we did a short scoping study on how 
easy it would be port CAS's SPENGO support to a shib SPNEGO handler, see 
http://gfivo.ncl.ac.uk/documents/Shib_SPNEGO.pdf   (Summary looks easy 
enough, licensing looks compatible,  requires levels  of java and spring 
knowledge which we don't have)  

Apologies for the length of this email, i  have tried to keep it short but 
the complexity of actually using SPNEGO is the enemy of brevity.

Regards

Cal

Caleb Racey
Team Leader
Middleware Team 
ISS
Newcastle University
U.K.