users Digest, Vol 50, Issue 126

Tony Pugielli tpugielli at tti-wireless.com
Thu Aug 20 21:38:16 EDT 2015 

Aruba has a feature called automatic sign on. When a user authenticates to wireless via 802.1x and makes a call to a web page that would be authenticated against shibboleth, we intercept the call, send it to ClearPass so it can send a SSO token with the users credentials to the web page so they don't need to login. In this case I believe we are the Idp. I think this is also called SAML chaining.

I apologize if I am not totally clear. I am not that familiar with SAML but working on getting up to speed on it. 

Sent from my iPhone

> On Aug 20, 2015, at 9:29 PM, "users-request at shibboleth.net" <users-request at shibboleth.net> wrote:
> 
> Send users mailing list submissions to
>    users at shibboleth.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://shibboleth.net/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>    users-request at shibboleth.net
> 
> You can reach the person managing the list at
>    users-owner at shibboleth.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
> 
> 
> Today's Topics:
> 
>   1. setup for SP proxy  (Tony Pugielli)
>   2. Re: Add test shibboleth metadata to InCommon metadata file
>      (Michael A Grady)
>   3. Re: Add test shibboleth metadata to InCommon metadata file
>      (Cantor, Scott)
>   4. Re: setup for SP proxy  (Cantor, Scott)
>   5. RE: ADFS integration (Paul B. Henson)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 21 Aug 2015 00:23:50 +0000
> From: Tony Pugielli <tpugielli at tti-wireless.com>
> To: "users at shibboleth.net" <users at shibboleth.net>
> Subject: setup for SP proxy 
> Message-ID: <6911716E-E2F9-4E66-9DDC-D4DE19480DAB at tti-wireless.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> Good evening. Is there any documentation on how to setup shibboleth as an SP proxy? I am tying into Aruba's ClearPass and it requires shibboleth to act as an SP proxy. 
> 
> Any help would be appreciated 
> 
> Thank You
> 
> Sent from my iPhone
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 20 Aug 2015 19:28:02 -0500
> From: Michael A Grady <mgrady at unicon.net>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Add test shibboleth metadata to InCommon metadata file
> Message-ID: <EC1AF0DF-3DFE-4189-832A-12807AA2480A at unicon.net>
> Content-Type: text/plain; charset=us-ascii
> 
> 
>> On Aug 20, 2015, at 7:20 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>> 
>> On 8/20/15, 7:59 PM, "users on behalf of John Kamminga" <users-bounces at shibboleth.net on behalf of jkamminga at ucmerced.edu> wrote:
>> 
>>> I have a test instance of Shibboleth IdP v2.4.2 running and would like to add the metadata to the InCommon metadata file so I can test with some SPs.
>>> 
>>> 
>>> Do I just upload the shib test X.509 certificate to the InCommon Federation Manager and then add it to my existing production metadata? Or, do I need to have a separate metadata entityId in the InCommon Metadata file?
>> 
>> That's not a totally well-defined question because "testing" can mean a lot of different things, but generally speaking there is no reason to test an IdP that way. You can emulate your existing IdP top to bottom and use local /etc/hosts changes to do your testing, as long as the back channel isn't involved.
>> 
>> -- Scott
> 
> And you can't register a 2nd IdP with InCommon unless you want to spend extra dollars:
> 
>  https://spaces.internet2.edu/display/InCFederation/Test+IdPs+in+Metadata
> 
> But as Kevin Foote noted, you really want to check with InCommon administration to get the official answers, through your InCommon Site Admin and/or Exec.
> 
> --
> Michael A. Grady
> IAM Architect, Unicon, Inc.
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 21 Aug 2015 00:30:21 +0000
> From: "Cantor, Scott" <cantor.2 at osu.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Add test shibboleth metadata to InCommon metadata file
> Message-ID: <591FB529-A271-424B-A48E-F5C3A70FCF54 at osu.edu>
> Content-Type: text/plain; charset="utf-8"
> 
>> On 8/20/15, 8:28 PM, "users on behalf of Michael A Grady" <users-bounces at shibboleth.net on behalf of mgrady at unicon.net> wrote:
>> 
>> And you can't register a 2nd IdP with InCommon unless you want to spend extra dollars:
>> 
>> https://spaces.internet2.edu/display/InCFederation/Test+IdPs+in+Metadata
>> 
>> But as Kevin Foote noted, you really want to check with InCommon administration to get the official answers, through your InCommon Site Admin and/or Exec.
> 
> You can also provide more background on the testing scenario and requirements, goals, what have you, and we can suggest the best approaches. There may be constraints we don't know, such as a forced hostname change, key or entityID changes (just don't), etc.
> 
> -- Scott
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 21 Aug 2015 00:42:22 +0000
> From: "Cantor, Scott" <cantor.2 at osu.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: setup for SP proxy 
> Message-ID: <4BE5D153-0CA2-40C6-8338-52BF60D38C78 at osu.edu>
> Content-Type: text/plain; charset="utf-8"
> 
>> On 8/20/15, 8:23 PM, "users on behalf of Tony Pugielli" <users-bounces at shibboleth.net on behalf of tpugielli at tti-wireless.com> wrote:
>> 
>> Good evening. Is there any documentation on how to setup shibboleth as an SP proxy? I am tying into Aruba's ClearPass and it requires shibboleth to act as an SP proxy.
> 
> I'm really not sure what you mean by that.
> 
> We have ClearPass at OSU, and it acts as a SAML SP, which our IdP is successfully working with on our wireless network for device registration.
> 
> I don't know if you're talking about the IdP, SP, or in what sense you think it can be a proxy. As a general matter, that isn't our design, but it depends what you're talking about.
> 
> -- Scott
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 21 Aug 2015 01:28:43 +0000
> From: "Paul B. Henson" <henson at cpp.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: RE: ADFS integration
> Message-ID:
>    <SN1PR01MB17580385AAB6CF28702CC5DBD2650 at SN1PR01MB1758.prod.exchangelabs.com>
>    
> Content-Type: text/plain; charset="iso-8859-1"
> 
>> From: Johan ?kerstr?m
>> Sent: Thursday, August 20, 2015 1:48 AM
>> 
>> I sense a bit of open/propriety code politics here but hey it is not my prerogative
>> criticize.
> 
> Heh, I certainly won't deny a bias for open source software, but this isn't really about open versus proprietary code, more about open versus proprietary standards. Rather than being able to easily avail of whatever SAML based solution you might have, they pretty much try to force you to run ADFS.
> 
>> authentication protocol in SAML. So if your front end authn solution is
>> Shibboleth or ADFS now it doesn't mean it has to be at a later stage.
> 
> I don't like wasting time implementing one thing when the goal is to be another thing, while not always feasible, my preference is to simply try to aim for the final product in the beginning...
> 
>> If you need to overcome the Claims Provider solution then you have two options
>> in ADFSv3.
> 
> Thanks, I will pass this info on to our Windows guys for evaluation.
> 
> 
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst  |  henson at cpp.edu
> California State Polytechnic University  |  Pomona CA 91768
> 
> 
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> ------------------------------
> 
> End of users Digest, Vol 50, Issue 126
> **************************************

More information about the users mailing list