InCommon Library Services

OK, this is *really really* crude..... but I hope that (for now) its 
enough to give people a sense of what this would look like.... in the 
real world, this would be configured to protect EBSCO, or some other 
provider....

To try it, go here:

https://sp.testshib.org/

paste this string into the text box:
        https://stc-test2.cis.brown.edu/shibboleth/testshib/idp

and hit enter....

You should see a page saying:

> Be guest
>
> Be yourself

(I told you its *extremely* crude, didn't I?  ;-)  ).

If you click "Be guest", you'll be taken to a page that dumps out all 
of the received attributes. Look for "Shib-EP-PrincipalName is: 
". That's the userid that's used for guests 
(note that the browser user *never* enters this value.)

If you click "Be yourself", you'll be presented with a Basic 
Authentication login dialog -- type in Test_User017 (pass = elsevier1 
). This time, you'll see "Shib-EP-PrincipalName is: 
".

NOTE: a site can configure the Be guest/Be yourself page to match 
local standards; for this initial demo, I'm using the default page 
(which, clearly, is extremely simple).

So, how does this work? I've added these lines to my apache config fle:

> ## AuthLocationDefineLocation cox       68.9.253.1-206
> AuthLocationDefineLocation cox          *.*.*.*
>
> AuthLocationDefineApplication testshib 
> providerId=https%3A%2F%2Fsp.testshib.org QS
> ## AuthLocationRequireAnonymous testshib cox Test_User016
> AuthLocationPermitAnonymous testshib cox Test_User016

the AuthLocationDefineLocation directive associates a label ("cox") 
with a browser IP address (I was initially testing from home; I've 
now changed it to match any address on the internet)

the AuthLocationDefineApplication directive associates a label 
("testshib") with a string that will be found somewhere in the 
incoming url.

the AuthLocationRequireAnonymous directive (commented out) says 
"browsers coming from location cox and accessing application testshib 
should ALWAYS be automatically authenticated as Test_User016".

The AuthLocationPermitAnonymous directive (currently in use) says 
"ask the user whether they want to be a guest or themselves; if they 
want to be a guest, automatically authenticate them as Test_User016".

So, how does this really work? The browser user is trying to access a 
Shib-enabled Service Provider. In this case, it happens to be a test 
site. However, it could just as easily be Elsevier or EBSCO (except I 
don't want to open those sites up to *everyone* on the Internet!). 
This test SP redirects me back to my IdP (you pasted the identifier 
for that IdP into that web page). You arrive at my test IdP with this 
url:

https://stc-test2.cis.brown.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.testshib.org%2FShibboleth.sso%2FSAML%2FPOST&time=1193756793&target=cookie&providerId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth%2Ftestshib%2Fsp

one of the parameters on this url tells my IdP where to redirect me 
after I've authenticated. I've configured mod_auth_location to 
pattern match against this url string. It matches this value -- 
"providerId=https%3A%2F%2Fsp.testshib.org" -- and pops up the "Be 
guest/Be yourself" page.

Is this what people expected?

And yes, once there's consensus that this approach could work for 
campuses, we can make a somewhat prettier demo!