Using Shibboleth with multiple IDP's

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Shibboleth with multiple IDP's

sai_code
 Hi All,

 I am new to shibboleth, And i am using 2.0 vesrion installed in server.

 I want to integrate this shibboleth sp with Multiple IDP's like institute IDP's.

 Can any one tell me how to integrate with multiple IDP's please?


 Thanks in Advance
 Sesha valli


Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth with multiple IDP's

Chad La Joie
Load the metadata for the various IdPs into the SP.

[hidden email] wrote:

>  Hi All,
>
>  I am new to shibboleth, And i am using 2.0 vesrion installed in server.
>
>  I want to integrate this shibboleth sp with Multiple IDP's like institute IDP's.
>
>  Can any one tell me how to integrate with multiple IDP's please?
>
>
>  Thanks in Advance
>  Sesha valli
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth with multiple IDP's

Nate Klingenstein
In reply to this post by sai_code
Sesha,

There are two things you need to do to use multiple IdP's.

The first is simple: you must load the metadata of all the IdP's.  This can be done either through consolidating all the individual metadata descriptors into one file, or by creating multiple MetadataProvider elements to load each IdP's metadata individually.

The second can be easy or difficult.  You need to provide a way for your users to choose the right IdP to go to.  You could create multiple SessionInitiator elements, each pointing at one IdP, and use buttons on the webpage to refer to them (see the registration login at TestShib for an example).  Alternatively, you can setup a DS and point the SessionInitiator at that.  The DS will need to load all the IdP's metadata too, then.

Please ask for clarification where and how you need it,
Nate.

On 4 Mar 2009, at 11:48, [hidden email] wrote:

 Hi All,


 I am new to shibboleth, And i am using 2.0 vesrion installed in server.


 I want to integrate this shibboleth sp with Multiple IDP's like institute IDP's.


 Can any one tell me how to integrate with multiple IDP's please?



Reply | Threaded
Open this post in threaded view
|

Re: Re: Using Shibboleth with multiple IDP's

sai_code

 Hi Nate,

 For testing we r using session intiator like :
 
 <SessionInitiator type="Chaining" Location="/TestShib" id="TestShib"
                    relayState="cookie" entityID="https://idp.testshib.org/idp/shibboleth" isDefault="true">
                <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
                <SessionInitiator type="Shib1" defaultACSIndex="5"/>
            </SessionInitiator>
           

 Here we have isDefault = true to go to TestShib IDP.

 But when we have some list of institutes to go to corresponding IDP how we know  
 the corresponding IDP to go by having multiple session intiator elements.

 can you give me some example code to follow please.

  Thanks in Advance
  Sesha valli
Reply | Threaded
Open this post in threaded view
|

Re: Re: Using Shibboleth with multiple IDP's

Peter Schober
* [hidden email] <[hidden email]> [2009-03-04 13:31]:
>  Here we have isDefault = true to go to TestShib IDP.
>
>  But when we have some list of institutes to go to corresponding IDP how we know  
>  the corresponding IDP to go by having multiple session intiator
>  elements.

I'll describe the path to get to the desired information:

First, here the start page of the Shibboleth Wiki, the official docs:
https://spaces.internet2.edu/display/SHIB2/

Configuration then starts here:
https://spaces.internet2.edu/display/SHIB2/Configuration

Finally: Native Service Provider (SP) -- Talk to a New Identity Provider
https://spaces.internet2.edu/display/SHIB2/NativeSPAddIdP
(You can ignore everything but the first paragraph)

And no, you don't need a seperate session initator for every IdP.
But you do need to read the replies already given to you.

Add metadata, decide on user interface for selection of IdPs, then
either deploy a Dicovery Service or create some interface to chose
IdPs from a list, e.g. by adding an entityID parameter to the HTTP
request to a SessionInitiator
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters

cheers
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

RE: Re: Using Shibboleth with multiple IDP's

Cantor, Scott E.
> And no, you don't need a seperate session initator for every IdP.

Yes, that's old advice that dates to 1.3,, and is no longer necessary.
There're very few cases where multiple handlers would be needed, probably
involving multiple discovery/wayf services.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Re: Re: Using Shibboleth with multiple IDP's

sai_code
In reply to this post by Peter Schober
 Hi Peter,
 
 So my understanding about ur email is :
 
   In our sample site we had a page for selection of institute to go to  
 corresponding IDP. when we select particular institute we should change
 "shibboleth2.xml" by updating sessionInitiator attribute of entityID and
 targetUrl dynamically sothat it should redirect to rewuired IDP and redirect
 to target url.

 Is it right?

 Can you please tell me what is the step to have if it is wrong.

 Thanks in Advance
 Sesha valli
Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth with multiple IDP's

Peter Schober
* [hidden email] <[hidden email]> [2009-03-05 06:14]:
>    In our sample site we had a page for selection of institute to go to  
>  corresponding IDP. when we select particular institute we should change
>  "shibboleth2.xml" by updating sessionInitiator attribute of entityID and
>  targetUrl dynamically sothat it should redirect to rewuired IDP and redirect
>  to target url.

No, you supply an entityID request parameter to the existing
SessionInitiator, see
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters

But first the SP needs metadata for the relevant IdPs, if couse.
cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth with multiple IDP's

sai_code
In reply to this post by sai_code
HI Peter,

Why i am asking is i didn't get how we can have more IDP urls in session initiator element.


We Upadate all IDP's metadata in metadata provider of SP.

Thanks
Valli

--- On Thu, 5/3/09, Peter Schober <[hidden email]> wrote:

From: Peter Schober <[hidden email]>
Subject: Re: [Shib-Users] Using Shibboleth with multiple IDP's
To: [hidden email]
Date: Thursday, 5 March, 2009, 8:17 AM


-----Inline Attachment Follows-----

* sai_code@... <sai_code@...> [2009-03-05 06:14]:
>    In our sample site we had a page for selection of institute to go to   
>  corresponding IDP. when we select particular institute we should change
>  "shibboleth2.xml" by updating sessionInitiator attribute of entityID and
>  targetUrl dynamically sothat it should redirect to rewuired IDP and redirect
>  to target url.

No, you supply an entityID request parameter to the existing
SessionInitiator, see
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters

But first the SP needs metadata for the relevant IdPs, if couse.
cheers,
-peter

--
peter.schober@... - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140


Connect with friends all over the world. Get Yahoo! India Messenger.
Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth with multiple IDP's

Peter Schober
* Sailaja B <[hidden email]> [2009-03-05 10:46]:
> Why i am asking is i didn't get how we can have more IDP urls in
> session initiator element.

You don't. You initate sessions with whatever IdP you want by
specifiying the IdP's entityId (in urlencoded form) to the existing
SessionInitiator's handler URL.
e.g. https://example.org/Shibboleth.sso/Login?entityID=<someIdP>

But there are several ways to do that, as has already been pointed out
(using the Internet2 Discovery Service, the SWITCH WAYF/DS, the SWITCH
embedded WAYF/DS in JavaScript, etc.)

cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: Re: Using Shibboleth with multiple IDP's

sai_code

 Thank you very much peter.


 Thanks & Regards
 Valli