Shibboleth/Dataverse Network integration

[Philip Durbin]

Hi Scott,

Thank you very much for your reply. I'll put some comments inline.

On Thu, Feb 7, 2013 at 12:04 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>> I'm new to Shibboleth... still at the "proof of concept" stage:
>> https://github.com/dvn/shibpoc
>
> I would suggest that if you're doing something like you seem to be, that you rephrase/reword. You're doing SAML. Shibboleth is an implementation of it you're not using, so nothing you're doing really pertains to it specifically. This is  a fairly common misunderstanding.
>
> That's not to say Shibboleth works like most SAML implementations do, but they are interoperable on the wire.
>
> If you're building something yourself, I'd say rethink that idea, but regardless, it's not sufficient to copy some code or read some specs, it's a very large undertaking and it's not something you can learn from a mailing list at this point (and there are unfortunately no books I know of). Thus, my advice is to use something that exists and not build your own.

Obviously, I have more reading to do. Thank you for the pointers. I
hope people don't mind me asking questions.

I plan to use https://github.com/dvn/shibpoc to learn about
Shibboleth. I was thinking I'd follow the Service Provider
instructions at http://testshib.org and see if I can get a basic setup
with Apache. No Glassfish, no Java EE... just try to protect
https://yourhost.org/secure/ with a Shibboleth login per the tutorial.

I'm assuming this will work fine. Then I'll start thinking more about
our Glassfish app.

>> As I understand it, my webapp will be a Service Provider (SP), which I
>> hope isn't too tricky since we use Glassfish rather than Apache. Time
>> will tell.
>
> I've heard good things about the JBoss SAML implementation, but I can't vouch for it.

I tried to run our Glassfish app on https://openshift.redhat.com once
but a Red Hat guy told me there's Glassfish-specific stuff in our app,
so this might be a non-starter. Thanks very much for letting me know
about this though...
http://howtojboss.com/2012/08/07/saml-behind-the-wheel/ is a nice
write up and who knows, maybe someday we'll make sure our app works on
both Glassfish and JBoss. Maybe deployment on JBoss will be required
if you want Shibboleth support.

>> I have OAuth and OpenID accounts to play around with but I've never
>> actually used a Shibboleth account before.
>
> There's really no such thing, see above.

Ok. I'm obviously heavily influenced by my frequent use of OAuth and OpenID.

>> I'm aware of
>> http://testshib.org and I'm using it to test a bit, but is there a
>> place where I can sign up for a free test Shibboleth account and some
>> Shibboleth-enabled services I can sign in to? Just for testing... to
>> get a feel for what the user experience is like, I mean.
>
> The user experience isn't consistent because that's just not practical when you're not Google or Facebook, but the closest analogy would be something like ProtectNetwork, and you could login to, for example, the Shibboleth wiki or issue tracker with that.
>
> The origins of Shibboleth are in the dozens of Web SSO systems built by universities since the mid-90s. I built my first one in 1997, and I copied others that came before it. That's where the user experience comes from.

I hadn't heard of http://www.protectnetwork.org . Thanks.

After I get a better understanding of how Shibboleth works through
some hands-on experience (with testshib.org), I'll probably read up
more on SAML. As you said, I certainly *don't* want to build my own
solution... I'm seeing a few hits for searches on "Glassfish SAML". I
wonder if OpenAM would help me add SAML support to my Glassfish app:
http://openam.forgerock.org ...

I hope it's clear enough what I'm trying to do, which is to let
institutions that are running Shibboleth use it to authenticate to our
Glassfish app rather than using local logins.

I'll keep reading and hacking.

Thanks,

Phil

-- 
Philip Durbin
Software Developer for http://thedata.org
http://www.iq.harvard.edu/people/philip-durbin