Joint SP configuration for two applications- attributePrefix conflict

Alexander Ivanov alex at calmforce.com
Mon Nov 21 17:02:07 EST 2016 

Hey guys,

We have two applications running on the same domain (different
sub-domains) that both need to be protected by Shibboleth authentication.
The goal for the Shibboleth configuration is to allow for Single Sign On
between the two applications (user enters credentials once and gains access
to both sites).

The two applications are a Drupal site (PHP) and a Dataverse
<http://dataverse.org/> instance (JAVA).  I've attempted to configure the
SP for both resources using a single entity ID, and ran into a problem
because of an attributePrefix configuration.

Steps performed
Followed the example of setting up a Shared Entity SP as described here:
*https://docs.shib.ncsu.edu/docs/advanced/spscale.html*
<https://docs.shib.ncsu.edu/docs/advanced/spscale.html>
Configured our IdP to bypass endpoint checks when the request is signed, as
described here:
*https://docs.shib.ncsu.edu/docs/advanced/bypassends.html*
<https://docs.shib.ncsu.edu/docs/advanced/bypassends.html>
Config changes made, as per the documentation from the NCSU page:

   - /etc/shibboleth/shibboleth2.xml- added *signing="true"* to
   ApplicationDefaults tag
   - /opt/shibboleth-idp/conf/relying-party.xml- added
   *skipEndpointValidationWhenSigned="true"*

Analysis
After the configuration changes above were made, Shibboleth login worked
for Drupal but not for Dataverse. A Shibboleth session was created
correctly when the login attempt was made from either application. However,
auto-login did not work for Dataverse, although it did work correctly for
the Drupal site.

I realized the reason that the above configuration did not work for
Dataverse is because of the attributePrefix defined in the
ApplicationDefaults config for Dataverse:
< ApplicationDefaults entityID="https://dv.stage.qdr.org/shibboleth"
REMOTE_USER="eppn" *attributePrefix="AJP_"*>

The Dataverse application is coded to use an attribute prefix for
Shibboleth attributes, whereas Drupal is not.  Considering this, is a
Shared Entity SP configuration possible?  Or do I need to configure our SP
to use individual entity IDs for Drupal and Dataverse, so that the
configuration for these two resources can be different- one with an
attributePrefix and one without?

I've been able to successfully configure the SP with two different entity
IDs (see attached shibboleth2.xml file) however this does not create a
working configuration for Single Sign On because if a user is authenticated
for one of the sites he is not recognized as logged-in after navigating to
the other site.

Please advise on the best way to configure the Shibboleth SP and IdP for
SSO authentication for our two applications.

Thanks in advance,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20161121/18709978/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth2.joint.xml
Type: text/xml
Size: 6793 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20161121/18709978/attachment-0001.xml>

More information about the users mailing list