Time |
S |
Nick |
Message |
08:24 |
|
|
zodbot joined #dvn |
13:51 |
|
pdurbin |
gearing up to talk about shibboleth: http://irclog.perlgeek.de/shibboleth/2013-02-13#i_6447050 |
14:23 |
|
pdurbin |
"What about apache+mod_shib+ajp as a solution for integrating Shibboleth with a Glassfish application? This was suggested to me at http://irclog.perlgeek.de/shibboleth/2013-02-13#i_6447092 Alternatives I'm considering are http://openam.forgerock.org (formerly http://en.wikipedia.org/wiki/OpenSSO ) or something along the lines of http://code.google.com/p/websso/ which uses http://www.opensaml.org " |
14:24 |
|
pdurbin |
I just posted that. It *should* appear at http://weblogs.java.net/blog/amyroh/archive/2012/02/15/running-glassfish-312-apache-http-server#comment-827367 after it's approved |
14:41 |
|
pdurbin |
oh good. it looks like it got approved |
14:49 |
|
pdurbin |
another vote for OpenAM: http://twitter.com/jm2dev/status/301702827431059458 |
15:16 |
|
pdurbin |
I sent a reminder about today's IRC meeting about Shibboleth. The agenda is here: https://groups.google.com/d/topic/dataverse-community/_v77HGj4wPk/discussion |
15:17 |
|
pdurbin |
- summarizing how authentication works in a Dataverse Network today |
15:17 |
|
pdurbin |
- reaching a common understanding of what Shibboleth is |
15:17 |
|
pdurbin |
- roughing out a plan for how to integrate Shibboleth into the DVN |
15:18 |
|
pdurbin |
- discussing implications of Shibboleth integration |
15:47 |
|
|
mcowen joined #dvn |
15:56 |
|
|
pdurbin2 joined #dvn |
15:56 |
|
pdurbin2 |
this is a test from adium: http://adium.im |
16:02 |
|
|
bobtreacy joined #dvn |
16:11 |
|
pdurbin |
bobtreacy: welcome! :) |
16:24 |
|
pdurbin |
mcowen: the gang's all here |
18:06 |
|
pdurbin |
someone in #glassfish mentioned there's a Glassfish "community" on Google+, so I asked for shibboleth itegration suggestions there: https://plus.google.com/107770072576338242009/posts/X7dVmrXaBu2 |
18:29 |
|
|
matt1337357 joined #dvn |
18:50 |
|
|
matt1337357 joined #dvn |
18:51 |
|
|
gdurand joined #dvn |
18:53 |
|
|
mcowen joined #dvn |
18:59 |
|
|
Jon__ joined #dvn |
19:00 |
|
Jon__ |
hello |
19:00 |
|
pdurbin |
Jon__: hi! welcome |
19:01 |
|
Jon__ |
I am not sure how you planned for this to go or what you want to accomplish? |
19:01 |
|
pdurbin |
well, i have an agenda |
19:01 |
|
pdurbin |
you'll see :) |
19:01 |
|
pdurbin |
i even have a meeting bot: zodbot :) |
19:02 |
|
pdurbin |
we'll see how this goes :) |
19:02 |
|
pdurbin |
#startmeeting |
19:02 |
|
zodbot |
Meeting started Wed Feb 13 19:01:38 2013 UTC. The chair is pdurbin. Information about MeetBot at http://wiki.debian.org/MeetBot. |
19:02 |
|
zodbot |
Useful Commands: #action #agreed #halp #info #idea #link #topic. |
19:02 |
|
pdurbin |
#topic intro |
19:03 |
|
pdurbin |
hello and welcome! I've called this meeting to talk about integrating Shibboleth into the Dataverse Network (DVN) |
19:03 |
|
|
marlena joined #dvn |
19:04 |
|
pdurbin |
my web page is http://www.iq.harvard.edu/people/philip-durbin and i own the ticket we're using to track the integration: https://redmine.hmdc.harvard.edu/issues/2657 |
19:04 |
|
pdurbin |
here's the agenda: |
19:04 |
|
pdurbin |
- summarizing how authentication works in a Dataverse Network today |
19:05 |
|
pdurbin |
- reaching a common understanding of what Shibboleth is |
19:05 |
|
pdurbin |
- roughing out a plan for how to integrate Shibboleth into the DVN |
19:05 |
|
pdurbin |
- discussing implications of Shibboleth integration |
19:05 |
|
pdurbin |
everyone should feel free to jump in at any time |
19:06 |
|
pdurbin |
you're welcome to link to a page about yourself or otherwise say who you are like I did above :) |
19:06 |
|
pdurbin |
#topic summarizing how authentication works in a Dataverse Network today |
19:06 |
|
pdurbin |
let's use https://dvn-demo.iq.harvard.edu/dvn/ as an example. It's running DVN 3.3 |
19:07 |
|
pdurbin |
there are two links at the top right: "Create Account" and "Log In" |
19:07 |
|
pdurbin |
"Create Account" takes you to pretty standard form asking for a username, password, email, etc. |
19:07 |
|
pdurbin |
after filling out the form you're logged in |
19:07 |
|
pdurbin |
you can create a dataverse, create studies, upload files, etc. |
19:08 |
|
|
mheppler joined #dvn |
19:08 |
|
pdurbin |
the user account you created is stored locally, in a PostgreSQL database |
19:08 |
|
pdurbin |
all in all, i think it's a pretty standard way for a webapp to behave |
19:09 |
|
pdurbin |
if there are any questions or comments about this, please go ahead |
19:09 |
|
pdurbin |
I *could* go into how at least for the DVN at https://dvn.iq.harvard.edu/dvn/ we have the concept of being a Harvard Affiliate... |
19:10 |
|
pdurbin |
which is based on IP addresses or logging in through what we at Harvard call "PIN auth" |
19:10 |
|
|
watcher joined #dvn |
19:11 |
|
pdurbin |
... but I think I'll go ahead and talk some more about Shibboleth :) |
19:11 |
|
pdurbin |
#topic reaching a common understanding of what Shibboleth is |
19:12 |
|
pdurbin |
according to http://shibboleth.net "Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner" |
19:12 |
|
pdurbin |
http://shibboleth.net/about/basic.html has more about the main "actors" in Shibboleth. I want to focus on the Identity Provider (IdP) vs. the Service Provider (SP) |
19:12 |
|
pdurbin |
the Identity Provider (IdP) authenticates the user. http://idp.testshib.org is an example IdP. It stores all the usernames and passwords (and other info like email address, etc.) |
19:13 |
|
pdurbin |
Jon__: as I understand it http://its.unc.edu/service-catalog/shibboleth/ describes the IdP that Odum would use |
19:13 |
|
pdurbin |
here's the official write up of what an IdP is: http://shibboleth.net/products/identity-provider.html |
19:13 |
|
pdurbin |
a Service Provider (SP) registers with an IdP to... provide a service |
19:14 |
|
pdurbin |
the official write up is at http://shibboleth.net/products/service-provider.html but I'd like to move on to a real-world example I cooked up |
19:14 |
|
pdurbin |
I've taken a server called "dvn-vm2" and have made it a Service Provider (SP). The service it's providing is access to a protected area Shibboleth people call a "resource" |
19:14 |
|
pdurbin |
Let's say we've licensed STATA and want to let students download it after they've logged in to Shibboleth. |
19:15 |
|
pdurbin |
Back to the server... I've registered it as a Service Provider (SP) with with the Identity Provider (IdP) from testshib.org |
19:15 |
|
pdurbin |
If you click https://dvn-vm2.hmdc.harvard.edu/secure/ you should be redirected to a login page at https://idp.testshib.org/idp/Authn/UserPassword |
19:15 |
|
pdurbin |
you can go ahead and try it :) |
19:16 |
|
pdurbin |
you should see some usernames and passwords listed... such as myself/myself or alterego/alterego |
19:16 |
|
pdurbin |
After login you should be taken back to https://dvn-vm2.hmdc.harvard.edu/secure/ and see "Secure area" |
19:17 |
|
pdurbin |
let me pause for a minute and ask if anyone here is able to successfully log in to https://dvn-vm2.hmdc.harvard.edu/secure/ ? |
19:17 |
|
sbmarks |
yep! |
19:17 |
|
pdurbin |
sbmarks: awesome. thanks |
19:18 |
|
pdurbin |
so you get a sense of what's happening :) |
19:18 |
|
pdurbin |
https://github.com/dvn/shibpoc contains all the configuration for how I set up dvn-vm2 |
19:18 |
|
pdurbin |
If you jump down to https://github.com/dvn/shibpoc#http-headers-from-login-test you'll see the various URLs your browser hits as you log in ... idp/profile/SAML2/Redirect/SSO?SAMLRequest... /idp/AuthnEngine ... /idp/Authn/UserPassword ... /idp/profile/SAML2/Redirect/SSO ... /Shibboleth.sso/SAML2/POST etc. |
19:18 |
|
pdurbin |
marlena: i'm sure you understand all those URLs better than i do :) |
19:19 |
|
pdurbin |
so the thing we're protecting is /secure |
19:19 |
|
pdurbin |
and everything underneath it |
19:20 |
|
pdurbin |
on disk /secure is /var/www/html/secure |
19:20 |
|
pdurbin |
and you can imagine goodies in there like /var/www/html/secure/STATA-installer.exe |
19:20 |
|
pdurbin |
licensed software, that is, that we want to protect from the public |
19:21 |
|
pdurbin |
we only want students to download it. after they have authenticated via Shibboleth, via our IdP |
19:22 |
|
pdurbin |
again, I've registered the the Service Provider (that dvn-vm2 server) with a specific IdP at testshib.org |
19:23 |
|
pdurbin |
I think of this as the "hello world" of Shibboleth... it's a pretty basic use case really... trying to protect some files from being downloaded by the public |
19:23 |
|
pdurbin |
does this make sense to people? |
19:23 |
|
sbmarks |
yup. makes sense! |
19:23 |
|
pdurbin |
sbmarks: cool |
19:23 |
|
pdurbin |
anyone else out there? :) |
19:24 |
|
marlena |
Sure it makes sense -- but shibb is ignorant of what you are trying to protect. |
19:24 |
|
bobtreacy |
I'm lurking |
19:24 |
|
gdurand |
same here |
19:24 |
|
pdurbin |
heh |
19:24 |
|
pdurbin |
marlena: well.. i was wondering that too |
19:24 |
|
marlena |
By the time you are ready to make an authorization decisions -- for downloading files or whatever, shibb should be out of the picture. |
19:24 |
|
pdurbin |
how does shibboleth know that it's supposed to protect /secure and not some other area |
19:25 |
|
marlena |
That has to do with your httpd configuration. |
19:25 |
|
pdurbin |
i actually created http://dvn-vm2.hmdc.harvard.edu/open/ to say "Wide open area" and it *doesn't* require any shibboleth auth |
19:25 |
|
pdurbin |
marlena: yes! exactly |
19:26 |
|
pdurbin |
there is an Apache config file that ships with the shibboleth RPM: /etc/httpd/conf.d/shib.conf |
19:27 |
|
pdurbin |
it has standard apache stanzas... looks like this: <Location /secure> AuthType shibboleth ... </Location> |
19:27 |
|
pdurbin |
i put the whole stanza at https://github.com/dvn/shibpoc |
19:29 |
|
pdurbin |
#info https://dvn-vm2.hmdc.harvard.edu/secure/ example show protecting files from download |
19:29 |
|
pdurbin |
#topic roughing out a plan for how to integrate Shibboleth into the DVN |
19:30 |
|
pdurbin |
Unlike the "hello world" dvn-vm2 example above with a "secure" area for software downloads, DVN is a full Java EE web application (running on Glassfish)... the identity of users is fundamental to DVN's operation |
19:30 |
|
pdurbin |
I think we can all agree on this :) |
19:30 |
|
sbmarks |
seems fair |
19:31 |
|
pdurbin |
every dataverse network has users. users create dataverses. and permissions are granted on studies within those dataverses |
19:31 |
|
pdurbin |
each dataverse is kind of a world of access control :) |
19:31 |
|
pdurbin |
i mean, some people choose to have everything public |
19:32 |
|
pdurbin |
but many users restrict access to their studies and data to certain other users |
19:33 |
|
pdurbin |
also, the dvn-vm2 example was all or nothing... either you have access to that /secure area or you don't |
19:33 |
|
marlena |
That's not strictly correct. |
19:33 |
|
pdurbin |
with the DVN your view of a page might be different depending on whether you're logged in or not |
19:33 |
|
pdurbin |
marlena: no? |
19:34 |
|
marlena |
Any time a user does a GET you the app get to do an authorzation decision -- presumably based on a cookie you've sent (after you've gotten attributes via the Shibb authentication step). |
19:35 |
|
pdurbin |
hmm, ok. sounds good. i don't feel like i'm making any decisions in my hello world dvn-vm2 example though. but i guess i could somehow |
19:36 |
|
marlena |
If you haven't set a cookie or the cookie is expired you can redirect the user to a shibb-protected url -- and then get attributes for them. |
19:36 |
|
marlena |
That's one way of doing things any way :-). |
19:36 |
|
pdurbin |
:) |
19:36 |
|
pdurbin |
ok |
19:36 |
|
marlena |
It's actually a fairly typical way AFAIK. |
19:37 |
|
pdurbin |
well, the point i'm driving at is that auth is fundamental to the DVN so the integration with shibboleth needs to be complete... it needs to be deep |
19:38 |
|
marlena |
Yes to "complete." |
19:38 |
|
pdurbin |
and we need to make sure the shibboleth integration is a toggle switch... most DVN installations don't have a local Shibboleth Identity Provider (IdP) to point at |
19:39 |
|
marlena |
I think the idea of "local idp" is a bit off-base. |
19:39 |
|
pdurbin |
is it? |
19:39 |
|
marlena |
The whole point is that the user logs in at their home (remote) institution. |
19:39 |
|
marlena |
At least that was the original point :-). |
19:39 |
|
pdurbin |
ok, let's same "home institution" :) |
19:40 |
|
pdurbin |
whoops. let's say "home institution" :) |
19:40 |
|
pdurbin |
anyway, at the end of the day we need to code this up in Java somehow and right now I'm seeing three different approaches we could take |
19:40 |
|
pdurbin |
three different directions |
19:41 |
|
pdurbin |
and maybe we'll try a couple and see which works best |
19:41 |
|
pdurbin |
let's call the first option "fronting Glassfish with Apache" |
19:41 |
|
marlena |
Here's one way: When the user hits your authentication page, they can pick "local login" if they want to use their existing dataverse name/pwd or the pick from a list of IdPs that the Dataverse talks to. |
19:42 |
|
sbmarks |
one thing we want to flag for now or later: we are a consortium and would have to rely on multiple IdPs |
19:42 |
|
sbmarks |
ah k |
19:42 |
|
sbmarks |
a wayf page |
19:43 |
|
sbmarks |
(i have expert help sitting next to me) |
19:43 |
|
marlena |
In essence -- except that it also allows local login. |
19:43 |
|
bobtreacy |
Does anybody know, is there something shib provides that is different from other SAML implementations? |
19:43 |
|
sbmarks |
cool |
19:43 |
|
marlena |
What the shibb code provides that SAML doesn't is... |
19:44 |
|
marlena |
....a fairly rich set of attribute acquistion and mapping facilities both on the IdP and SP side. |
19:45 |
|
marlena |
This let's the IdP send attributes other than "name" -- and lets the SP (via configuration) change the attributes it gets into something your app knows how to consume. |
19:47 |
|
marlena |
Phil: please resume your set of approaches. Sorry about the interrupt :-). |
19:47 |
|
pdurbin |
gdurand: at a meeting the other week we talked a bit about local logins vs. login via an IdP... I feel like we were thinking that if a DVN installation moved to IdP logins that they would no longer be able to use local login |
19:48 |
|
pdurbin |
sbmarks: or multiple IdPs |
19:48 |
|
marlena |
If you let the user pick "local loging" or their home institution (assuing it's in a list of IdPs you support), then you can do both. |
19:49 |
|
pdurbin |
right but it's a design decision |
19:49 |
|
marlena |
If you have user's who are at institutions that don't have IdPs, aren't you kind of pushed into doing support for both types of login? (Just sayin' :-).) |
19:50 |
|
pdurbin |
well, yes, but not necessarily at the same time, if that makes sense |
19:50 |
|
pdurbin |
I left a note to myself to pick up this thread about local logins later |
19:50 |
|
marlena |
Don't get me wrong: some apps force Shibb/SAML authentication and don't have the notion of local login (even if they did in the past). |
19:50 |
|
sbmarks |
amaz says: you're absolutely right. It comes down to what you'd like to support. You currently have local users... you want to support idP logins... you may want to support linking an existing account to a shib account... |
19:51 |
|
marlena |
Exactly. |
19:51 |
|
pdurbin |
sbmarks: yes, exactly. we were thinking about a link |
19:51 |
|
pdurbin |
all DVN installations now have local accounts only |
19:51 |
|
sbmarks |
excellent |
19:51 |
|
gdurand |
I think they would still need local login. For example are DVN. If we allow authentication for Harvard folks via IDP, we still want all other current uers to be able to log in. |
19:51 |
|
pdurbin |
yes |
19:52 |
|
gdurand |
It's just that if they had created the account via IDP, then they would not have a way to login locally (no stored password). |
19:52 |
|
marlena |
When I talked to Merce & Phil & Gustavo a few weeks ago, we talked about linking the Shib-provided identity to a IQVerse-held identity -- so that they wouldn't have to muck with there authorization system. |
19:52 |
|
marlena |
Why would they need to login locally? |
19:53 |
|
pdurbin |
marlena: social scientists anywhere in the world are welcome to create accounts at https://dvn.iq.harvard.edu/dvn/ and start uploading data |
19:54 |
|
marlena |
Well, you encourage them to create their account via authN via shibb, instead of getting a new name/pwd. |
19:54 |
|
gdurand |
In our DVN, for example, we allow anyone to create an account. So some people are Harvard affiliates and could use their Harvard credentials, but others are from anywhere else and still need the ability to create accounts. log in, etc. |
19:54 |
|
pdurbin |
so in the future, if Harvard has an IdP we can point that DVN installation at... we would need to support login via IdP and local logins for non-Harvard people |
19:55 |
|
marlena |
Um, what about users who have IdPs at their non-Harvard institutions? |
19:55 |
|
sbmarks |
marlena: if an SP (who is a consortia) wants to provide access to students across their consortia, but not all consortia members have idPs.? |
19:55 |
|
sbmarks |
you would perhaps provide a "WAYF" page |
19:55 |
|
marlena |
Then they allow local logins and Shib-enabled authentication. |
19:56 |
|
marlena |
Yes, via a WAYF-type page. "Where Are You From" |
19:56 |
|
pdurbin |
marlena: thanks. not everyone knows what WAYF means, i'm sure |
19:56 |
|
marlena |
An alternate is to have the user get an account at "protect net" -- which serves as an IdP. |
19:57 |
|
sbmarks |
amaz says: my bad! |
19:57 |
|
marlena |
I had to do this so I could authenticate to an InCommon site (because Harvard's IdP (which I'm standing up) isn't yet ready). |
19:58 |
|
marlena |
I think this is not a bad way to go -- and is worth exploring i.e. have users get a protect net account instead of a local account. |
19:58 |
|
pdurbin |
marlena: so you seem to be saying that if a DVN installation chooses to use an IdP, we shouldn't allow local logins at all. that people who don't have an account with the home institution IdP should still log in via *some* IdP such as http://www.protectnetwork.org |
19:59 |
|
marlena |
No. No. No. |
19:59 |
|
pdurbin |
ok :) |
19:59 |
|
marlena |
I'm not saying that.. |
19:59 |
|
marlena |
I'm providing a set of possibilities. |
19:59 |
|
pdurbin |
ok. well i think well need to support both local logins and login via an IdP for some DVN installations |
19:59 |
|
marlena |
I think it's fine to provide local accounts if you want to continue to do that. And it might be fine to ask users to get an protect net account instead. |
20:00 |
|
pdurbin |
i don't think protect net accounts are free |
20:00 |
|
marlena |
I didn't pay. |
20:00 |
|
pdurbin |
hmm, ok |
20:00 |
|
marlena |
Like I said, "worth exploring" :-). |
20:00 |
|
pdurbin |
anyway, i'd like to get back to java |
20:00 |
|
pdurbin |
and possible directions |
20:00 |
|
pdurbin |
bobtreacy: and your question :) |
20:01 |
|
pdurbin |
so the first option is "fronting Glassfish with Apache" |
20:01 |
|
pdurbin |
This write up says nothing about mod_shib, but it's probably the best resource about fronting glassfish with Apache: http://weblogs.java.net/blog/amyroh/archive/2012/02/15/running-glassfish-312-apache-http-server |
20:02 |
|
pdurbin |
Some people call this "apache+mod_shib+ajp": http://irclog.perlgeek.de/shibboleth/2013-02-12#i_6444686 |
20:03 |
|
pdurbin |
bobtreacy: as you and i were discussing, however, this introduces a dependency on apache |
20:03 |
|
pdurbin |
right now people don't need apache to run DVN. just glassfish |
20:03 |
|
pdurbin |
#info option 1: fronting Glassfish with Apache |
20:03 |
|
pdurbin |
Another option is OpenAM: http://openam.forgerock.org |
20:04 |
|
pdurbin |
OpenAM is the continuation of a (defunct) Sun project called OpenSSO: http://en.wikipedia.org/wiki/OpenSSO |
20:04 |
|
bobtreacy |
Marlena answered it to some extent, although I'd like to understand more what we'd lose with say OpenAM, since that shib guy you were talking to suggested using other SAML implementations, for instance on JBoss and as you say we have discussed using this on glassfish |
20:04 |
|
pdurbin |
#info option 2: OpenAM |
20:05 |
|
pdurbin |
bobtreacy: can you describe your experience with OpenAM? |
20:05 |
|
marlena |
I have to pay attention to another conf call.... |
20:05 |
|
marlena |
I'll try to multiplex :-). |
20:07 |
|
pdurbin |
(this guy votes for OpenAM by the way: https://twitter.com/jm2dev/status/301702827431059458 ... he was testing with TestShib ) |
20:07 |
|
pdurbin |
(as he wrote about here: http://lists.forgerock.org/pipermail/openam/2012-June/006831.html ) |
20:08 |
|
pdurbin |
I'm going to go on about the third and last possible direction: writing our our Service Provider (SP) |
20:08 |
|
pdurbin |
Shibboleth uses a protocol called SAML: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language |
20:09 |
|
pdurbin |
In this scenario, we would handle the SAML transactions ourselves |
20:09 |
|
bobtreacy |
I've gone through setting up OpenAM on glassfish a while ago when we were thinking about SSO |
20:09 |
|
pdurbin |
bobtreacy: ok |
20:09 |
|
pdurbin |
This was first suggested to me in #glassfish: http://www.evanchooly.com/logs/%23glassfish/2013-02-07 |
20:09 |
|
marlena |
Phil: Don't forget the attribute transmogrifications. |
20:09 |
|
pdurbin |
The guy mentioned some sample code at http://code.google.com/p/websso/ |
20:09 |
|
pdurbin |
Today in ##shibboleth someone says they wrote their own for node.js: http://irclog.perlgeek.de/shibboleth/2013-02-13#i_6447136 |
20:10 |
|
pdurbin |
In both cases (glassfish and node.js) the underlying library used is OpenSAML: http://opensaml.org |
20:10 |
|
pdurbin |
#info option 3: write our own Service Provider (SP) with OpenSAML |
20:10 |
|
pdurbin |
so those are the three options I see: 1. fronting glassfish with apache, 2. OpenAM 3. using OpenSAML and handling the SAML back and forth ourselves |
20:12 |
|
pdurbin |
rather than trying to get any of these 3 options right into the DVN, I thought a better approach would be to add them to this simple template app: https://github.com/IQSS/iqss-javaee-template |
20:12 |
|
bobtreacy |
Is marlena's shib going to be available to use, rather than setting up our own apache? |
20:12 |
|
pdurbin |
which i've deployed publicly to http://dvn-vm2.hmdc.harvard.edu:8080/hello1/ so i can hopefully register it with the IdP at https://www.testshib.org |
20:13 |
|
pdurbin |
bobtreacy: i don't know. https://www.testshib.org is out there. i *think* we can test with that |
20:14 |
|
pdurbin |
there are also IdP VMs we can download and test with maybe: http://irclog.perlgeek.de/shibboleth/2013-02-12#i_6444019 |
20:15 |
|
pdurbin |
and http://simplesamlphp.org might be a suitable IdP we could stand up ourselves for testing: http://irclog.perlgeek.de/shibboleth/2013-02-12#i_6444004 |
20:15 |
|
pdurbin |
I'm sure we can only go so far with https://www.testshib.org since we have no control over it, but it's not a bad place to start, I think |
20:16 |
|
pdurbin |
marlena: any word on if we can test with your IdP? |
20:16 |
|
marlena |
Not before a month. |
20:17 |
|
pdurbin |
marlena: ok. no problem. we'll use testshib for now. thanks |
20:17 |
|
marlena |
We could do quick tests before then. |
20:17 |
|
pdurbin |
ok |
20:17 |
|
marlena |
I.e. you and I would need to coordinate to make sure the IdP is up. |
20:17 |
|
pdurbin |
right. makes sense |
20:19 |
|
pdurbin |
so unless there are any objections, the next step I'll take is starting to add some basic auth to https://github.com/IQSS/iqss-javaee-template and once that's up, switch it over to OpenAM |
20:19 |
|
pdurbin |
i plan to look at http://jsfcompref.com (JavaServer Faces 2.0: The Complete Reference) for guidance on coding up some basic auth (or sample code we have in house) |
20:20 |
|
bobtreacy |
btw, looking at http://shibboleth.net/products/identity-provider.html it says supported container Tomcat 6 - glassfish web-tier is tomcat |
20:20 |
|
pdurbin |
bobtreacy: are you thinking we should run our own IdP? |
20:20 |
|
pdurbin |
the DVN team, I mean, for testing? |
20:22 |
|
marlena |
Question: What would your own IdP give you that testshib doesn't? (I haven't looked into testshib.) |
20:22 |
|
gdurand |
it seems to start we can try to use what's out there - first testshib, then Marlen'as |
20:22 |
|
bobtreacy |
ok |
20:23 |
|
pdurbin |
#agreed use testshib.org first, then Harvard's test IdP when available |
20:23 |
|
marlena |
If you want to set up your own IdP, feel free -- I'm just wondering what's the bang for the buck. (It might be significant.) |
20:23 |
|
pdurbin |
marlena: our own (or your) IdP would give us control |
20:23 |
|
marlena |
Over what? |
20:24 |
|
pdurbin |
i assume that when installers of the DVN go to turn on shib auth they'll need to coordinate with their home institutions IdP provider |
20:24 |
|
marlena |
Um, not more than they'd coordinate with any IdP they want to deal with. |
20:25 |
|
pdurbin |
hopefully we can get pretty far with a public resource like testshib.org |
20:25 |
|
pdurbin |
#action pdurbin to add basic, non-shib auth to iqss-javaee-template and later OpenAM for testing with testshib.org |
20:25 |
|
pdurbin |
any more action items for this topic? next up is "discussing implications of Shibboleth integration" |
20:26 |
|
pdurbin |
(which we've kind of discussed already) |
20:27 |
|
pdurbin |
#topic discussing implications of Shibboleth integration |
20:27 |
|
pdurbin |
#idea make sure we can support multiple IdPs |
20:28 |
|
pdurbin |
#info shib-enabled DVNs will probably still need local login as well |
20:29 |
|
pdurbin |
#link http://irclog.iq.harvard.edu/dvn/2013-02-13#i_855 discussion of local login and other implications of enabling Shibboleth in a DVN |
20:30 |
|
marlena |
Here's one: Decide on whether you want your IdPs to be part of InCommon. (Reason: That way you get their metadata in a standard feed.) |
20:30 |
|
pdurbin |
marlena: makes sense |
20:31 |
|
pdurbin |
I think we've covered a lot of good ground today... I'm pretty much ready to wrap up |
20:32 |
|
pdurbin |
The conversation can continue in this channel at any time as far as I'm concerned |
20:32 |
|
pdurbin |
people are welcome to pop in with an idea |
20:33 |
|
pdurbin |
are we done? |
20:33 |
|
marlena |
Thanks, Phil. Bye for now. |
20:33 |
|
gdurand |
Thanks, Phil. |
20:34 |
|
pdurbin |
thanks all! |
20:34 |
|
pdurbin |
#endmeeting |
20:34 |
|
zodbot |
Meeting ended Wed Feb 13 20:33:16 2013 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . |
20:34 |
|
zodbot |
Minutes: http://meetbot.fedoraproject.org/dvn/2013-02-13/dvn.2013-02-13-19.01.html |
20:34 |
|
zodbot |
Minutes (text): http://meetbot.fedoraproject.org/dvn/2013-02-13/dvn.2013-02-13-19.01.txt |
20:34 |
|
zodbot |
Log: http://meetbot.fedoraproject.org/dvn/2013-02-13/dvn.2013-02-13-19.01.log.html |
20:34 |
|
zodbot |
Please remember to CC: meetingminuteslists.fedoraproject.org on your summary/minutes email. |
20:34 |
|
pdurbin |
here are the minutes: http://meetbot.fedoraproject.org/dvn/2013-02-13/dvn.2013-02-13-19.01.html |
20:34 |
|
|
gdurand left #dvn |
20:43 |
|
|
mcowen left #dvn |
20:46 |
|
* pdurbin |
sends out the minutes to the Google Group: https://groups.google.com/d/msg/dataverse-community/_v77HGj4wPk/frXSe0YTNUIJ |
20:55 |
|
|
zodbot left #dvn |
21:23 |
|
pdurbin |
sbmarks: I'm impressed you threw WAYF out there :) |
21:57 |
|
sbmarks |
pdurbin: hehe, I had our systems guy who is very familiar with shib sitting next to me |