Shibboleth with ANGEL LMS

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth with ANGEL LMS

Michael J. Wheeler
I was wondering if anyone on this list is using IdP with ANGEL LMS. ANGEL's website says it's been integrated with Shib, but upon contacting them, they only say that it's something that was developed by some of their customers and they don't support it or have any information on it.

--
Michael J. Wheeler
Assistant Director, Systems and Networking
Pittsburg State University
Phone:  620-235-4610
E-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Shibboleth and Network Access

Mike Wiseman
Hello,

Has anyone implemented Shibboleth to provide authentication/authorization for network access using web captured portal? My institution runs a Shib 1.3x IdP and don't know if Shib 2.x features overcome the limitations of using it for network access. Limitations such as forwarding browser, remote IdP, and remote SSO traffic prior to successful authentication. The workaround I've seen used is to punch holes in network access firewalls which is not a scalable solution.

Thanks,

Mike



Mike Wiseman
Computing and Networking Services
University of Toronto

Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth and Network Access

Cantor, Scott E.
> Has anyone implemented Shibboleth to provide authentication/authorization
> for network access using web captured portal? My institution runs a Shib
> 1.3x IdP and don't know if Shib 2.x features overcome the limitations of
> using it for network access.

There are no material changes to how SAML 2 works other than perhaps the use of encryption to make it more palatable to some people to push attributes rather than rely on a back channel.

> Limitations such as forwarding browser, remote
> IdP, and remote SSO traffic prior to successful authentication. The
> workaround I've seen used is to punch holes in network access firewalls
> which is not a scalable solution.

By definition, a federated model will require that the browser can reach the IdP it wants to use. An intranet with one IdP is obviously simpler. I don't see that in practical terms the back-channel issue makes much difference, since the server running an SP isn't really subject to the same limitations on access as the client would be.

Basically I don't know why you think it doesn't work, so it's impossible to guess whether anything is better, but I don't see how or why it would be.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth and Network Access

Mike Wiseman
>
> By definition, a federated model will require that the browser can
> reach the IdP it wants to use. An intranet with one IdP is obviously
> simpler. I don't see that in practical terms the back-channel issue
> makes much difference, since the server running an SP isn't really
> subject to the same limitations on access as the client would be.
>
> Basically I don't know why you think it doesn't work, so it's
> impossible to guess whether anything is better, but I don't see how or
> why it would be.
>

I'm referring to federated access to my institution's wireless network. The firewall controls on port 80 and 443 prior to authn/authz block the SP redirect traffic thus preventing the client browser from accessing the remote IdP/SSO.

Mike  
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth and Network Access

Cantor, Scott E.
> I'm referring to federated access to my institution's wireless network. The
> firewall controls on port 80 and 443 prior to authn/authz block the SP
> redirect traffic thus preventing the client browser from accessing the
> remote IdP/SSO.

That's by definition with any federated approach other than proxying through RADIUS or similar. It's not Shib 1 or 2 or anything else, it's browser-based SSO period.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth and Network Access

Peter Schober
In reply to this post by Mike Wiseman
* Mike Wiseman <[hidden email]> [2009-01-12 17:43]:
> I'm referring to federated access to my institution's wireless
> network. The firewall controls on port 80 and 443 prior to
> authn/authz block the SP redirect traffic thus preventing the client
> browser from accessing the remote IdP/SSO.

open up your firewall to allow access to all IdPs' registered
endponits in your federated metadata?

or have a look at http://www.eduroam.ca/ ?

cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth with ANGEL LMS

Andy Fisher
In reply to this post by Michael J. Wheeler
We've been using Shibboleth for our primary authentication in ANGEL at Penn
State for the past few years.  It's not a very difficult task on the ANGEL
side.  We use Lazy sessions in Shibboleth and a nugget on the home page
serves as our wayf.  We then use the returned attributes to create the
user's session in ANGEL.

There is at least one other university that is using Shibboleth.  They are
doing it the same way we are.  You are welcome to send me the ANGEL specific
code questions off list.  

Thanks,
-Andy

 

-----Original Message-----
From: Michael J. Wheeler [mailto:[hidden email]]
Sent: Monday, January 12, 2009 10:36 AM
To: [hidden email]
Subject: [Shib-Users] Shibboleth with ANGEL LMS

I was wondering if anyone on this list is using IdP with ANGEL LMS. ANGEL's
website says it's been integrated with Shib, but upon contacting them, they
only say that it's something that was developed by some of their customers
and they don't support it or have any information on it.

--
Michael J. Wheeler
Assistant Director, Systems and Networking
Pittsburg State University
Phone:  620-235-4610
E-mail: [hidden email]