Presence and IntComm WG

[Rodney McDuff <>]

Hi All
   Here is some links to get a shibboleth SP up and running

1) The Shibboleth Internet2 wiki is a fount of shibboleth knowledge and
I recommend that people browse through it at their leisure. I will
referring to it alot. Here are some links to get your head around the
whole shibboleth thing.
  * https://spaces.internet2.edu/display/SHIB/UnderstandingShibboleth
  * http://shibboleth.internet2.edu/about.html
  * https://spaces.internet2.edu/display/SHIB/DeploymentBackground
  * https://wiki.esecurity.edu.au/display/draft/Shibboleth+Architecture
The last URL has an insightful (atleast to the technical) step-by-step
interactions between a user, SP, wayf and Identity Provider (IdP).

2) Installing the Shibboleth SP. The "Service Provider Installation"
section of
<https://spaces.internet2.edu/display/SHIB/InstallingShibboleth> is
pertinent for the shibbolized XMPP account registration service. There
are detailed information for installing the SP on several platforms. I
would imagine that linux and OSX are likely choices.

3) Test installation. In shibboleth developers have put up a "test SP"
called TestShib at <http://www.testshib.org/testshib-reg/index.jsp> so
that people can verify their installation. Just follow the bouncing dot.

4) Have a look at the SP configuration options at
<https://spaces.internet2.edu/display/SHIB/SPConfigurationByTopic>. By
comparing the testshib xml config and the stuff on this page you'll get
an idea of what has to change once you join a real federation. Its
pretty minimal;
  * the hostname in the RequestMapProvider stanza
  * the providerId in the Applications stanza
  * the homeURL in the the Applications stanza
  * the certs in the CredentialsProvider stanza
  * the wafyURL in the SessionInitiator stanza
When you join Incommon most of these will be constructed from the
information you provide at the Incommon registration process.

Also have a good understanding of
<https://spaces.internet2.edu/display/SHIB/SPProtectionConfig> for fancy
access/authorization control and
<https://spaces.internet2.edu/display/SHIB/SPAttributeConfig> for
understanding Attribute Acceptance Policies (AAPs) work. (Its the
AAP.xml file that controls how attributes embedded in a SAML assertion
are manifested to the webapp.

5) Join Incommon as an SP. Most of the technical info is at:
  * <http://www.incommonfederation.org/metadata.html> and
  * <http://www.incommonfederation.org/technical.html>
There is an Incommon federation manager at
<https://service1.internet2.edu/siteadmin/manage/> which maintains the
Incommon metadata
<https://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml>. It
requires a username and password to get access to it. Members of
Incommon get a username and password.

Once registered with Incommon modify the shibboleth.xml to reflect you
ProviderID and new cert/key pair (used to secure the shibboleth
back-channel between which SP and IdP and should be provided by
Incommon as part of the registration process.)

6) Become familiar with this page
<https://spaces.internet2.edu/display/SHIB/CPPSPCommonErrors>


-- 
Dr. Rodney G. McDuff                 |Ex ignorantia ad sapientiam
Manager, Strategic Technologies Group|    Ex luce ad tenebras
Information Technology Services      |
The University of Queensland         |
EMAIL: 

          |
TELEPHONE: +61 7 3365 8220           |