InCommon Federation Discussions About Online Student Services

[Brendan Bellina <>]

This is a recent thread between Digital Measures (Matt), an engineer in our Viterbi School of Engineering (Jason), and my Shibboleth IdP administrator (Russ). Because DM does not support Shibboleth our School of Engineering is developing their own application, a Shibboleth shim, and will run the SP. This is similar to what we have done in the past with iTunes U.  I thought that Russ's comments though on the ease with which the vendor should be able to do this right might be of interest to this group.

Regards,

Brendan Bellina

Mgr, Enterprise Middleware Development

USC ITS

Begin forwarded message:

From: Russell Beall <>

Date: August 27, 2008 3:52:03 PM PDT

To:

Cc:

Subject: Re: Digital Measures / USC Shib?

Reply-To:

It should not be necessary to require a Java SP.  The SP is an independent part of the website setup which simply provides environment variables and optionally HTTP headers to an application.  Java applications can read from the environment and can handle HTTP headers, therefore your vendor should be able to install the standard SP installation and get it to provide data to their application.  It should be as simple as having a very basic jsp script which collects this data and forwards it to their application linking the user to that data.

Their application only needs a front door which can accept shibboleth attributes from the environment which can be used in place of the usual custom username/password login page.  They don't need to, and frankly should not try to package a shibboleth service provider into their application.  In the end, they will only need to publish details on which variable names should be set up in the separately installed service provider which their application will consume.

It is the same thing you are doing with a shim, except integrated into their application structure.  If they understood how simple it actually was, many vendors would likely jump on it and implement it immediately.

One extra feature they should probably implement (also easy), is that they should provide a means to check the entitlement value for authorization to enter their application.  They should provide a mechanism which checks for a particular value (defined by the vendor) for the "entitlement" variable supplied by shibboleth.  When shibboleth does not provide this value, the application should display the "Not Authorized" to the user attempting to log in.  This can be done wholly in the SP, but for security, the application should also perform this check.

Russ.

On Aug 27, 2008, at 3:32 PM, Jason R. Dziegielewski wrote:

Russ,

Thanks for the help, I will go through the emails you sent over in detail tomorrow and give it a try.

I received this email from the vendor... looks like they are willing to look into Shibboleth again, but are stuck...  do you know of a good direction to send them?

Jason

---------- Forwarded message ----------

Date: Wed, 27 Aug 2008 14:45:54 -0400

From: Matthew J. Bartel <>

To: Jason R. Dziegielewski <>

Subject: RE: USC Merged system

Hi Jason,

I hope all is well.  As I understand it, you would like to use

Shibboleth with our system.  In fact, we would like to support

Shibboleth.  Unfortunately, it appears that no Java implementation of

Shibboleth 2.0 SP exists; the Shibboleth 1.3 Java SP project appears to

have been abandoned about 16 months ago, and no release has been made of

the Shibboleth 2.0 Java SP implementation.  Might you know of anyone

that is working on this?

Best regards,

-Matt