Which handler LDAP SSO - NOW kerberos integration

Morris, Andi amorris at cardiffmet.ac.uk
Tue Nov 18 12:01:23 EST 2014 

Hi Peter,
Yes the Newcastle guide does talk about the spnegoscript.js which I have configured and placed within the /opt/shibboleth-identityprovider-2.4.3/src/main/webapp/login.jsp script as below:

<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Shibboleth Identity Provider - Login</title>
                <script src="/opt/shibboleth-identityprovider-2.4.3/src/main/webapp/spnegoscript.js"></script>
                <script>
                         spnego('<%= loginContext.getRelyingPartyId() %>', '<%=request.getRemoteAddr()%>')
                </script>
    </head>

My spnegoscript.js is:
function spnego(sp, ip)
{
 // don't autologin anywhere (return us to the login page)
 //return;
 // IPs we don't want to autologin (that will never have Kerberos tokens)
 //if (ip.indexOf("10.12.", 0) == 0) { return; } //(magpie)
 //else if (ip.indexOf("10.6.", 0) == 0) { return; } //(ivpn)
 //else if (ip.indexOf("128.240.246.", 0) == 0) { return; } //(evpn)
 // SPs we want to do autologin with (optional)
 var autoSPs=[ "https://sp.testshib.org/shibboleth/metadata"];
 if (autoSPs.join().indexOf(sp)>=0)
 {
 // check machine in campus IP range
 if ((ip.indexOf("192.",0) == 0)i &&
        (navigator.userAgent.indexOf("Trident") != -1))
 {
 window.location = "/idp/Authn/Kerberos/Login";
 }
 }
 else
 {
 return; // return to the login page, auto-login conditions not met
 }
}

However, I always see the login page, even though I'm coming from IE11 (Trident) my IP address begins in 192. and I'm the relying party is sp.testshib.org

Cheers,
Andi


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 18 November 2014 16:50
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO - NOW kerberos integration

* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-18 17:40]:
> However I can't see where in any of the Kerberos login config files 
> that I can enable autologin.

This will need tuning of your JSP files, I'm assuming, incl detection of whether the User Agent will be able to handle that.
Doesn't the Newcastle guide cover that?

> Another question is, do I need to reinstall the application each time 
> I make a change to anything within the shibinstall path folder?
> EG.,
> /opt/shibboleth-identityprovider-2.4.3/src/main/webapp/login.jsp

Yes, unless you're willing to do other/even more work switching from JSP to Velocity.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list