InCommon Library Services

["Lawrence, Gabriel" <>]

Steven,

This is very similar to what we are thinking of doing as well. I don't think 
we will be using mod_auth_location to accomplish this as we've already set up 
a web authentication mechanism that supports multiple authentication backends 
and has a user selectable GUI to do it.

Our UI guys are DOSd right now, or i'd have them looking at designing a give 
me a username and password or let me be a guest page. I have some ideas about 
how to do this, but they all break the nice modular object model and internal 
design we've created. Somehow, GUIs always mess with you.

That said, I think we should move forward with building a mod_auth_location 
demo as I think it generalizes to more people. Assuming we get a UI we'd be 
glad to share that part.

gabe 

-----Original Message-----
From:  [] 
Sent: Tuesday, October 30, 2007 8:17 AM
To: 
Subject: [inc-librsvcs] sample use of mod_auth_location

OK, this is *really really* crude..... but I hope that (for now) its enough 
to give people a sense of what this would look like.... in the real world, 
this would be configured to protect EBSCO, or some other provider....

To try it, go here:

https://sp.testshib.org/

paste this string into the text box:
        https://stc-test2.cis.brown.edu/shibboleth/testshib/idp

and hit enter....

You should see a page saying:

>Be guest
>
>Be yourself

(I told you its *extremely* crude, didn't I?  ;-)  ).

If you click "Be guest", you'll be taken to a page that dumps out all of the 
received attributes. Look for "Shib-EP-PrincipalName is: 
". That's the userid that's used for guests (note that 
the browser user *never* enters this value.)

If you click "Be yourself", you'll be presented with a Basic Authentication 
login dialog -- type in Test_User017 (pass = elsevier1 ). This time, you'll 
see "Shib-EP-PrincipalName is: 
".

NOTE: a site can configure the Be guest/Be yourself page to match local 
standards; for this initial demo, I'm using the default page (which, clearly, 
is extremely simple).

So, how does this work? I've added these lines to my apache config fle:

>## AuthLocationDefineLocation cox       68.9.253.1-206
>AuthLocationDefineLocation cox          *.*.*.*
>
>AuthLocationDefineApplication testshib 
>providerId=https%3A%2F%2Fsp.testshib.org QS ## 
>AuthLocationRequireAnonymous testshib cox Test_User016 
>AuthLocationPermitAnonymous testshib cox Test_User016
>

the AuthLocationDefineLocation directive associates a label ("cox") with a 
browser IP address (I was initially testing from home; I've now changed it to 
match any address on the internet)

the AuthLocationDefineApplication directive associates a label
("testshib") with a string that will be found somewhere in the incoming url.

the AuthLocationRequireAnonymous directive (commented out) says "browsers 
coming from location cox and accessing application testshib should ALWAYS be 
automatically authenticated as Test_User016".

The AuthLocationPermitAnonymous directive (currently in use) says "ask the 
user whether they want to be a guest or themselves; if they want to be a 
guest, automatically authenticate them as Test_User016".

So, how does this really work? The browser user is trying to access a 
Shib-enabled Service Provider. In this case, it happens to be a test site. 
However, it could just as easily be Elsevier or EBSCO (except I don't want to 
open those sites up to *everyone* on the Internet!). 
This test SP redirects me back to my IdP (you pasted the identifier for that 
IdP into that web page). You arrive at my test IdP with this
url:

https://stc-test2.cis.brown.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.testshib.org%2FShibboleth.sso%2FSAML%2FPOST&time=1193756793&target=cookie&providerId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth%2Ftestshib%2Fsp

one of the parameters on this url tells my IdP where to redirect me after 
I've authenticated. I've configured mod_auth_location to pattern match 
against this url string. It matches this value -- 
"providerId=https%3A%2F%2Fsp.testshib.org" -- and pops up the "Be guest/Be 
yourself" page.

Is this what people expected?

And yes, once there's consensus that this approach could work for campuses, 
we can make a somewhat prettier demo!