AAF Shibboleth Rollout Workshop NOTE: an additional workshop is scheduled for Feb 2009 at MQ University for those who missed the events or would like to refresh/clarify ...
Attribute Acceptance Policy (!AAP) On the Shibboleth SP side, all attributes that were received from the IdP's AA are mapped into the HTTP Request headers that are ...
Attribute Release Policy (ARP) On the Shibboleth IdP side, all releases of attributes that are "resolvable" by the resolver are determined by the use of Attributes ...
Acceptance Test Plan Background Each MAMS Mini-Grant Round-2 project involves establishing IdPs and SPs in the MAMS Testbed Level-2 Federation. In order to confirm ...
ShARPE Advanced Configuration GroupLookup 1. multiple GroupLookups are possible 2. implementation of GroupLookup has to implements au.edu.mq.melcoe.mams.sharpe.shib ...
SAML Artifacts cannot be dereferenced for unauthenticated requesters This relates to Federation.UnauthenticatedSP. However, this is more confusing as when you check ...
Assertion Condition Invalid You get this, typically, due to 2 reasons: 1. you've got out of synch clock on your box. This sometimes happen when using vmware for example ...
to Autograph main page Installation of Autograph Autograph is a web application. This page shows the steps necessary to get Autograph running on your Identity Provider ...
to Autograph main page Autograph under the hood Idea Autograph needs data from many different sources. These sources are unfortunately very unstable. E.g. information ...
Autograph a personal privacy manager the federation becomes transparent Autograph makes privacy in a Shibboleth federation transparent and manageable. It allows ...
to Autograph main page Autograph's integration in the Single Sing On (SSO) profile Idea The idea of integrating Autograph in Shibboleth SSO is to make the handling ...
IdP rejects any authentication attempts Typical error reads like: Unauthenticated principal. This protocol handler requires that authentication information be provided ...
Shibd complains that its socket is being used or can't connect to that socket This happens when shibd was not terminated properly and its socket is locked. Start ...
Cannot load configuration from filename This is typically errors on idp.xml or shibboleth-idp's web.xml where filename is referred without the usage of full URI syntax ...
Error 500 Internal Server Error when trying to access a service Usually, you try to access this SP, sometimes you're successful, other times you've failed. Trying ...
SP Certificate is valid but IdP keeps rejecting it Things to check: make sure idp's 8443 is configured with optional no ca make sure 8443 has SSLVerifyDepth 10 , ...
Clock Skewed Error If the IdP or SP complains about clock skewed, then you gotta check if the boxes are running proper ntpdate. Make sure you run ntpdate every hour ...
Crosswalker for mapping attributes Data of institution members is normally saved in a LDAP or database. This database contains for each member an object with different ...
IdP Stopped Upon Tomcat Restart One of the most common problems why the IdP does not start is malformed configuration files. In many cases this causes the xerces ...
IdP JSPs are accessible, but 404 error is returned for !IdP's servlet /SSO or /AA Check if you can access https://MY DNS/shibboleth-idp/login.jsp. This should display ...
Deakin University Acceptance Tests Theme : e-Lecture Service for Deakin Students and Staff Identity Provider Deakin University (part-institutional) Service Providers ...
Reason for Different Virtual Hosts for AA and SSO with Shibboleth IdP Due to a bug with Apache 2, it is necessary to run some IdP services on different ports/virtual ...
Joining the MAMS Level-1 Federation as an IdP using the MAMS Easy Install CD The following steps will guide you through the installation and configuration of the ...
Tomcat application doesn't get REMOTE USER Make sure that the application is jk-mounted to correct port, i.e. if you have port 8009 on workers2.properties workers ...
There could be many reasons why this happen. It ranges from: ShARPE is not installed properly ShARPE is misconfigured As ShARPE sits on top of your !IdP, it is critical ...
Clock Skew Problems with Shibboleth Shibboleth IdP and SPs relies on SAML assertions being passed between for exchanging handles and attributes. Each assertion is ...
to Autograph main page Frequently Asked Questions on Autograph What is the basic functionality of Autograph? Members of the Identity Provider can configure Service ...
Australian Access Federation Workshop 27-31 Aug 2007 Invitation information http://www.aaf.edu.au/docs/AAF-Workshop-August-2007.pdf PDF of Slides Shibboleth slides ...
Australian Access Federation Workshop (Minigrant) 17-18 Dec 2007 Sydney This workshop covers Shibboleth-only and restricted to Minigrant recipients, only very limited ...
Australian Access Federation Workshop 18-19 Feb 2008 Sydney This free workshop covers Federation (Shibboleth) technical deployment. Please register early to secure ...
Australian Access Federation Workshop 19-20 Nov 2007 Canberra This workshop covers Shibboleth-only and restricted to Australian Bureau of Statistics (ABS). PDF of ...
Australian Access Federation Workshop 15-17 Oct 2007 Perth Change of Location Note there is a change of location for the workshop. It will be held in Rendezvous Hotel ...
Australian Access Federation Shibboleth Workshop This free workshop covers Federation (Shibboleth) technical deployment. Please register early to secure your place ...
Frequently Asked Questions Common problems and their solutions when installing Shibboleth for use within the MAMS Testbed Federation How do I make sure that I get ...
General error processing request This is a catch all error on IdP. There are multiple reasons for this error, so let's check it out. if you see these lines on your ...
Generate EduPersonTargetedID Current Shibboleth does not ship with an easy to use eduPersonTargetedID tool. The old way of generating a value based on a hash of a ...
How to get REMOTE USER in tomcat Tomcat treats REMOTE USER with special API. You can get it via request.getRemoteUser(). It will consume any headers named REMOTE ...
Group ARP Shibboleth comes with 2 types of ARPs: 1. site wide ARP (i.e. the whole organization-wide ARP) 2. user ARP This has some limitation in which administrators ...
GroupLookup The path way to dynamic group discovery in Shibboleth GroupLookup is designed as a plugin to Shibboleth to allow Shibboleth system (IdP) to be maximizing ...
How to Migrate from Level 1 to Level 2 of the Testbed Federation For members of the Level-1 Federation, it is advisable if you have connected your IdP to your institutional ...
Using certificate for back-channel The federation uses back-channel certificates to allow SP query IdP for attributes (SAML artifact profile). For this purpose, the ...
How to use IP-based Protection There are times when IP-based is the only acceptable authentication mechanism used in the IdP (i.e. library machines). 1. enable mod ...
Identity Provider (IdP) IdP or the so-called Home Institution is the source of user's creditial. This is basically the home organization at which the user can authenticate ...
Identity and Access Management (IAM) Suite The Identity and Access Management (IAM) Suite contains ShARPE and Autograph. These are two web applications to configure ...
Main.MoritzTheile 11 Aug 2006 A Servlet used in the IdP. In the Shibboleth standard configurations it is mapped to the URLs /shibboleth-idp/SSO, /shibboleth-idp ...
Notes from ABS Shibboleth Installation Based on current NDN VMware image the following steps were followed Upgrade Java to JDK (using yast) Install Shibboleth IdP ...
Deploying NDN Central on Debian VMWare hosts Tomcat security manager off unless security policy reworked to allow permissions MySQL configuration in /etc/mysql/my ...
Configuration of ports Note that NDNPortal currently redirects to a secure port, as configured in Tomcat server.xml ... this is typically port 443, with Shibboleth ...
NDN Setup (clean) Set permissions on tomcat webapps chown R tomcat55:adm /usr/local/ndn/tomcat/webapps/NDN /usr/local/ndn/tomcat/webapps/ROOT Create a resources directory ...
Using A Commercial Certificate Signed by an Intermediate CA Authority in Shibboleth 1. First, in your idp.xml or shibboleth.xml you need to configure Shibboleth to ...
Invalid Assertion Consumer Service URL IdP has identified the SP, but the ACS presented by the SP is not what has been registered on the metadata. This could happen ...
Session Creation Error: Invalid credential Despite the IdP has been configured properly such that its /SSO being protected by appropriate mechanism and you're successfully ...
James Cook University / AIMS Acceptance Tests Theme : Content Management System and Data Storage System shared by James Cook University (JCU) and Australian Institution ...
LDAP Errors There can be many reasons why this error occur but it basically means that the connection to the LDAP is not set up properly. It is a good idea to check ...
Tomcat refuses to start when using tomcat authentication connecting to LDAP When you protect shibboleth-idp using tomcat authentication (rather than apache's authentication ...
Lazy Session Lazy session allows your application to decide when it wants to authenticate. Until that time attributes from the IdP will not be available to your application ...
Obtaining a Certificate from Level 1 CA The CA is intended for use only by the IdPs and SPs wishing to join Level-1. There is a simple check that requires that the ...
How to Migrate from Level 1 to Level 2 of the Testbed Federation Digital Certificates You will need both a frontend commercial SSL certificate, and a backend SSL ...
Redirection looping between SP and IdP after authentication There are a number possible reasons for this: SP is misconfigured such that the SP application doesn't ...
Lunch menu Lunch is provided for the workshop on Thursday and Friday Please select your preferred lunch from the list An order sheet will be passed around, please ...
Manual Installation of Shibboleth Identity Provider Below are step-by-step instructions on setting up an IdP on a Debian Linux system, and joining Level-1 of the ...
Manual Installation of Shibboleth Service Provider Below are step-by-step instructions on building and configuring a Shibboleth SP on a Debian Linux system to be ...
Install Shibboleth-IdP As per ManualInstallIdP Install Shibboleth-SP As per ManualInstallSP ./configure prefix /usr/local/shibboleth-sp enable-apache-22 disable-mysql ...
University of Melbourne Acceptance Tests Theme : Federated Data Repository and high-performance computing (HPC) services for the Australian Laser Interferometer Gravitational ...
MAMS Testbed Federation Mini-Grant Scheme Background In order to promote growth and use of the "MAMS Testbed Federation", MAMS proposed a mini-grant scheme to DEST ...
MiniGrant Project Service Descriptions Service Description elements ServiceProvider @identity ServiceProviderIdentifier ServiceProviderName 1..n ServiceProviderLocation ...
Using Mod Proxy to connect Apache/Httpd to Tomcat Steps 1. assumed you've enabled mod proxy on your apache/httpd 2. edit appropriate vhost file to mount tomcat application ...
Murdoch University Acceptance Tests Theme : Virtual Librarian Service for Murdoch and Macquarie Universities Identity Providers Uses existing IdPs both Murdoch University ...
How to introduce new attribute to SP Modify AAP.xml and add the entry accordingly. The above introduce a Fed-Fancy-Colour to the application (as header) or FancyColour ...
Cannot see list of attributes or list of groups in ShARPE This means your idp.xml configuration for GroupLookup has been misconfigured. Check it that you have correct ...
No Valid Authentication Statement SP can't find IdP's authentication statement. This can be the result of AAP rejecting the statement due to a number of reasons: ...
Not getting any headers By default you should be able to see these headers as they ar released as default in shib SP: Shib-Identity-Provider Shib-Authentication-Method ...
PolicyFilter Preprocess Policies Prior Being Used Another extension of ArpRepository as provided by MAMS group is the notion of PolicyFilter. It allows selective ...
Browser/Artifact handler does not support HTTP method (POST) Somehow, the IdP send a POST profile to your SP's artifact handler. POST profile is the default "response ...
MiniGrant Project Discussion Questions for each MiniGrant project during the workshop 1. Do you need to set up an IdP? 1. For each of those IdPs, what is the authentication ...
Using Apache Authentication to protect !IdP You can protect !IdP using tomcat or apache. This section shows how to protect it on apache. Steps 1. assumed tomcat and ...
How to protect shibboleth-idp using tomcat authentication Steps 1. make sure shibboleth-idp is not protected using apache 2. make sure $TOMCAT HOME/webapps/shibboleth ...
Protecting Resources There are 2 ways of doing this. 1st is by making sure that the list of attributes read by application (supplied by AAP) are sufficient, and let ...
Appropriate ProviderID or EntityID Value The value you set for your organization EntityID determines the value for your IdP or SP providerID. So for example, if my ...
Attribute Resolver Attribute Resolver is a module of Shibboleth to discover user's attributes. The resolver has various plugins to connect to different data sources ...
How to restrict access to your application Suppose you want your application to be restricted to a specific !IdP only, or you'd want to accept specific attribute ...
Service Provider (SP) Service Provider typically house a number of services for the member of federation (or interested parties) to use. Typical SP would protect ...
Shib SP Daemon refuses to run If you experience this when you just finished building SP and have encountered some compilation issue previously, then the problem could ...
Service Provider Description Editor (SPDE) WebSharpe as well as Autograph require each SP to provide a description on the details of services that it has and the ...
If you encounter this error on the SP: Request Entity Too Large The requested resource /testapp does not allow request data with GET requests, or the amount of data ...
SSL Errors Typical errors on SSL include: couldn't set callback. this usually is because the different versions of openssl being used. make sure you have only 1 version ...
Session Creation Error This is one of the "catch-all" errors in Shibboleth. It basically boils down to check the log files to find out what's going on. Errors range ...
Shibboleth Attribute Release Policy Editor (ShARPE) ShARPE is developed as part of the collaboration between MAMS and Shibboleth. ShARPE's aim is to manage the creation ...
ClassCastException when ShARPE is running Could not start SharpeCore: java.lang.ClassCastException: edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository ...
Generation of eduPersonTargetedID using !ShARPE !ShARPE's mapping functionality can be used to generate ePTID as attribute to be sent to a SP. Everytime the user ...
Installation Procedure for ShARPE Assumptions 1. you have JDK 1.5 installed, ShARPE code uses JDK 1.5 features 2. you have fully configured IdP (tested on IdP 1.3c ...
Location of log files for !ShARPE Check $TOMCAT HOME/logs/sharpe.log, this log is rolled daily. You can configure your logging needs by editing $TOMCAT HOME/webapps ...
SharpeCore SharpeCore taps into existing Shibboleth (version 1.3c at the moment) to provide extra functionalities. It integrates with Shibboleth seamlessly without ...
Shibboleth Authenticator for Confluence Updated and Official Version There is an official version of this "shibbolizing confluence" available at http://confluence ...
Using mod proxy for Confluence or Jira This guide is applicable for Confluence and Jira. Assumptions confluence or jira fully installed and working httpd 2.2.x or ...
Shibboleth Authenticator for Jira Requirements apache 2.2 tomcat 5.5 jira 3.8 jira is installed NOT as root webapp download at http://www.federation.org.au/twiki ...
Main.MoritzTheile 16 Aug 2006 The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework ...
Indicating Shibboleth User Login Authentication Strength In the IdPConfig element, you can add the following line to indicate to the SP what is the method of authentication ...
Shibbolizing An Application In this guide, we will write a Java Server Page (JSP) application that will be protected by Shibboleth. The JSP is a simply "reflector ...
List of Shibbolized Applications Below is a list of free, open source applications that are known to have been successfully "shibbolized". A link is provided to the ...
Shibd Daemon Failed to Start One of the most common problems why the SP daemon does not start is malformed configuration files. In many cases this uses the xerces ...
Software This page contains links to software that are being used in the MAMS Testbed Federation. IdP Software Shibboleth !IdP Source: shibboleth-idp-1.3.3.tar.gz ...
Problem with Security Library in JDK The reason for the errors below "java.security.SignatureException: RSA modulus too small" is due to the fact the Sun JDK was ...
Certificate Authorities supported in the Federation The following Certificate Authorities (CAs) are supported: !AddTrustUTNServerCA !Comodo !InstantSSL CA !Entrust ...
Changes in URN namespace for Easy Install CD v1 If you use the Easy Install CD v1 (Dec-Jan 2005/2006 release) or earlier, then you will need to make a change in the ...
If your IdP log complains with the following logs: 2008-06-06 12:19:51,754 DEBUG IdP Constructed a trust list from key authority. Attempting path validation... 2008 ...
IdP or SP spits error saying "Unauthenticated requesters" If you see the above errors, there are a number of conditions that can be at fault on either IdP or SP side ...
Uninstall ShARPE The script comes with a set of install/uninstall command. You can uninstall ShARPE from your existing IdP and restore the IdP to the state prior ...
Retrieving Federation Metadata Updates Securely After you have joined the Testbed Federation at either Level 1, 2 or 3, it is necessary to regularly download the ...
Upgrade To A Higher Testbed Federation Level MAMS will deploy three levels of Federation membership by the end of 2006. Currently only Level 1 and Level 2 have been ...
Using multiple certificates This condition is common when you are trying to configure your SP into level-2 and using AusCert cert on the back-end that is different ...
MAMS Testbed Federation Wiki Welcome to MAMS Testbed Federation. This Wiki has been setup to provide participants with information on topics such as: deploying Shibboleth ...
This is a subscription service to be automatically notified by e-mail when topics change in this Federation web. This is a convenient service, so you do not have to ...
Federation Web Preferences The following settings are web preferences of the Federation web. These preferences overwrite the site-level preferences in TWIKIWEB . ...
TWiki's Federation web SCRIPTURL /view SCRIPTSUFFIX /Federation The Federation web of TWiki. TWiki is a Web-Based Collaboration Platform for the Corporate World. ...
WebSharpe This is a web application that communicates directly to SharpeCore. This application allows user to visualize and manage ARPs with ease of use. Autograph ...
Sharpe Installation Guide NOTE: THIS GUIDE IS OBSOLETE. PLEASE REFER TO ShARPE INSTALLATION GUIDE FOR THE LATEST GUIDE The following will guide through the installation ...
ShARPE User Interface This guide will show the usage of WebSharpe from creation of contract/ARP to its manipulation and mapping of attributes. Create a contract for ...
Fail Compiling SP on the final stage Situation: you've got all the source files and libraries required you compile them one by one successfully you've seen a lot ...
Schedules for AAF Workshops When Where Link 2006 MQ, Sydney 1st Workshop 2006 MQ, Sydney 2nd Workshop August 2007 MQ, Sydney AAF August'07 Oct 2007 Perth AAF Oct ...
Workshop Manual Installation of Shibboleth Identity Provider Below are step-by-step instructions on setting up an !IdP on a Debian Linux system, and joining Level ...
Workshop Manual Installation of Shibboleth Service Provider Below are step-by-step instructions on building and configuring a Shibboleth SP on a Debian Linux system ...
Rollout Workshop Configuration of Shibboleth Identity Provider Below are step-by-step instructions on setting up an !IdP on a Debian Linux system, and joining Level ...
Workshop Shibbolizing An Application In this guide, we will write a Java Server Page (JSP) application that will be protected by Shibboleth. The JSP is a simply ...
I've upgraded to level-2 but now my SP doesn't work anymore First of all...Level-2 federation requires either you have commercial certificates or you use AusCert ...
Compiling xml-security library and it fails If you get error on compiling XMLSec and you notice an error related to XSECConfig.hpp, then what you need to do is: ...