Support in setting up a Shibboleth SP

Cantor, Scott cantor.2 at osu.edu
Thu Aug 13 13:33:21 EDT 2015 

On 8/13/15, 9:45 AM, "users on behalf of Tony Wheatman" <users-bounces at shibboleth.net on behalf of Tony.Wheatman at nottingham.ac.uk> wrote:



>I am the project manager and we are undertaking a project around a Confluence Workspace site that hosts something called the Virtual Postgraduate Platform.

Confluence is possible, but it's not a trivial integration, their SSO support is borderline awful. It is a long term undertaking that you will have to dedicate appropriate investment to to keep it working, given the pace of the product.

> 
>We have been in negotiation around making this a shibbolized (I hope that is the correct terminology !) solution, allowing single sign on based on the sharing of attributes from each University and the setup of the UoN as a Service Provider.
> 
>We have now opted for this as a solution, but we are struggling with resource at the moment and the deadline of the 21st September, could be at risk. I am therefore reaching out to you for support and to understand what support is out there, what the availability is like and what if any, the cost would be.

This list is for support of somebody deploying our software. If you're looking for commercial help, you can refer to the list of firms on our web site for possibly leads or somebody might see the note of course, but as far as the list goes, you need a technical resource with time to spend, and without that you can't really maintain this anyway.

> 
>What I’m looking for is;
>-              General guidance on how to do this

You install and configure an SP, and you do a fair bit of low level integration with Apache, Confluence, and the plugin for confluence available to delegate authentication to the web server, which is out in github (https://github.com/chauth/confluence_http_authenticator).

>-              A list of tasks that need to be completed

- learn a *lot* of stuff
- make Confluence work behind Apache via the proxy_ajp connector
- install an SP with Apache
- configure the SP to work with the IdPs/federations required and deploy a discovery UI to allow users to pick the IdP to use
- configure Confluence with the plugin and configure it with the rules you want for populating user attributes and potentially groups
- tweak the Apache configuration to handle some of the nastier issues with Confluence's SSO support

> 
>-              Associated timescales

Entirely dependent on experience, likely weeks.

>If you can help on any aspect of this I would appreciate it greatly I’m looking at every way possible at the moment to ensure successful delivery as we believe that we do not have the necessary skills in house.

Contracting for something like this will just leave you with a pile of stuff you can't operate or maintain. That model is a sop to management to meet a deadline but it's unworkable and just gives you a system that will rot in months and be insecure within years at best.

Having a resource come in and help existing technical staff learn what to do is good, but that isn't usually how this goes.

-- Scott

More information about the users mailing list