Closed adolski closed 9 years ago
adolski
commented
9 years ago 
jhain
commented
9 years ago Alex - i think this is the only pending issue that is really holding up our ability to finish things like the tutorial videos and the user manual.... any idea when we might be able to move forward on this one? all other issues (i think) are really more enhancements and bugs than operational at this point, unless i'm missing something? thanks so much!
adolski
commented
9 years ago @jhain I think #244 is the big one that is holding up the tutorial videos, as it involves the new left menu and redesigned header section that is going to majorly change navigation and appearance. I have a picture in my mind of what it's going to look like, I just need to carve out 2-3 days to do it. I don't know when, but I will make it a high priority.
I don't think this issue should be getting in the way of much. The Shibboleth help should pretty much amount to, "if you have a NetID, go ahead and sign in with that. Otherwise... [insert help for the registration process that is going to be in place for non-UI users either way]" Once a user is signed in, via Shibboleth or not, the application looks and works the same either way. For now, I would write the help to exclude Shibboleth, as adding it in later will be trivial.
(@jamieviva, I don't know if you are planning to cover the registration process in the videos, but I can help with that if so. You will need access to the PSAP Yahoo email account.)
Also, I know I was the one who argued for Shibboleth, but I confess that I am starting to have second thoughts, due to the amount of work it will require in the context of time constraints. Shibboleth is very complex and the best time to do it would have been last summer when I could have devoted a whole two weeks to it.
jhain
commented
9 years ago I was thinking that we are doing a video for the registration process, which isn’t functional, I think due to waiting largely for the shibboleth part, even if that’s only a piece. But yes, you’re right that #244 is also a big one that will be a hold up for final “look and feel”, not to mention functionality of the program.
I could honestly care less one way or another about Shibboleth, and given the time it requires, and the time constraints we’re up against to get this pushed out, I’m happy to drop it.
J
From: adolski [mailto:notifications@github.com] Sent: Thursday, May 21, 2015 12:29 PM To: PresConsUIUC/PSAP Cc: Teper, Jennifer Hain Subject: Re: [PSAP] Shibboleth authentication (#207)
@jhainhttps://urldefense.proofpoint.com/v2/url?u=https-3Agithub.com_jhain&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=Jipoiwjnwfl8Vs1ac1yKyWalhdjXvb1EsGhBHg0LRRI&s=3K1PYETsKUAPGIaxy9fy-sMr907Q-WALt_J2ySa7hU4&e= I think #244https://urldefense.proofpoint.com/v2/url?u=https-3Agithub.com_PresConsUIUC_PSAP_issues_244&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=Jipoiwjnwfl8Vs1ac1yKyWalhdjXvb1EsGhBHg0LRRI&s=Xtgb4SUnNneHLZVbgdM00agHY9U5RRdwyNzAbAl6lVM&e= is the big one that is holding up the tutorial videos, as it involves the new left menu and redesigned header section that is going to majorly change navigation and appearance. I have a picture in my mind of what it's going to look like, I just need to carve out 2-3 days to do it. I don't know when, but I will make it a high priority.
I don't think this issue should be getting in the way of much. The Shibboleth help should pretty much amount to, "if you have a NetID, go ahead and sign in with that. Otherwise... [insert help for the registration process that is going to be in place for non-UI users either way]" Once a user is signed in, via Shibboleth or not, the application looks and works the same either way. For now, I would write the help to exclude Shibboleth, as adding it in later will be trivial.
(@jamievivahttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jamieviva&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=Jipoiwjnwfl8Vs1ac1yKyWalhdjXvb1EsGhBHg0LRRI&s=WGihqguIrrbPJH_EwAoQwFBCBDqEcrRMejRFzGPcsm4&e=, I don't know if you are planning to cover the registration process in the videos, but I can help with that if so. You will need access to the PSAP Yahoo email account.)
Also, I know I was the one who argued for Shibboleth, but I confess that I am starting to have second thoughts, due to the amount of work it will require in the context of time constraints. Shibboleth is very complex and the best time to do it would have been last summer when I could have devoted a whole two weeks to it.
— Reply to this email directly or view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PresConsUIUC_PSAP_issues_207-23issuecomment-2D104364306&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=Jipoiwjnwfl8Vs1ac1yKyWalhdjXvb1EsGhBHg0LRRI&s=ASUxvQRfGjvYnRL5_LtElx5DAkn_4N7S6t9JvdGlbwA&e=.
adolski
commented
9 years ago @jhain The registration process is functional -- I don't think we ever demoed it, but it does work. It just doesn't use Shibboleth yet, so all users, UofI or not, have to go through the same process.
Let's drop Shibboleth. That will make #244 the only thing that is holding up this video, I believe.
jhain
commented
9 years ago Fantastic!
Sent from an itty-bitty keyboard
On May 22, 2015, at 8:42 AM, adolski notifications@github.com<mailto:notifications@github.com> wrote:
@jhainhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jhain&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=YqZB2Lc4JqEfJKlAyOrmjN0RPTEMYzKJhrYhNc6glrI&s=XHcpenuWhCPUfE9cQZQOpYBt99a6mxcIOND3nYgkyFg&e= The registration process is functional -- I don't think we ever demoed it, but it does work. It just doesn't use Shibboleth yet, so all users, UofI or not, have to go through the same process.
Let's drop Shibboleth. That will make #244https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PresConsUIUC_PSAP_issues_244&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=YqZB2Lc4JqEfJKlAyOrmjN0RPTEMYzKJhrYhNc6glrI&s=3WXlRgd-_QN760ScnTxGrW6FOiBGfj9yfTeP0bStqXs&e= the only thing that is holding up this video, I believe.
— Reply to this email directly or view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PresConsUIUC_PSAP_issues_207-23issuecomment-2D104662462&d=AwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=VmdTHodLILmRa-mKuNJG6pXvAPSt1Xuzf4ocbYKHlTE&m=YqZB2Lc4JqEfJKlAyOrmjN0RPTEMYzKJhrYhNc6glrI&s=0ERRJTGEluX6PsmNfNO60SrvnED7py-HkFDkqPflpqQ&e=.
Mostly from HD:
Overview:
My preference is to use Apache with the requisite setup as a reverse proxy server for the actual Rails application (as is done in Medusa) running on whatever your favorite Rails server is (passenger, unicorn, thin, etc.). This lets Apache handle interacting with the actual shibboleth servers while not requiring you to go through the contortions you need to run something like passenger inside of Apache. The downside is that you have to use headers instead of environment variables to pass shibboleth attributes, but that¹s a small price to pay. You need to do a little set up to get Apache and the Rails server working together properly, but that¹s pretty easy.
For the Rails coding part I typically use the omniauth authorization framework and the omniauth-shibboleth gem. If you take a look at how these are used in Medusa that will give a lot of the information that you need.
Details:
http://www.cites.illinois.edu/shibboleth/index.html http://www.cites.illinois.edu/shibboleth/quickstart http://www.cites.illinois.edu/shibboleth/uofi https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
Look in /etc/shibboleth for the shibboleth stuff (most of this comes with the package; it looks like I only had to modify the attribute-map.xml and shibboleth2.xml and you can diff those against the originals for an idea of what you have to do). I think there are also some certs that I generated.
If you look in /etc/httpd/conf.d/medusa.conf you¹ll get an idea of what you need to do to integrate Apache. You need to use ssl, it has the basic setup you need to reverse proxy the Rails server, and it shows what you have to do to protect the /auth/shibboleth/callback path in the right way to interact with omniauth. Basically omniauth will work by redirecting a user to this location to login (or maybe you have to do that manually); since it is protected by shib it¹ll redirect to the shib auth provider. When the user authenticates they get sent back with a shib session and then some of the rails stuff handles getting the attributes and so on.
/var/log/shibboleth will have useful information for debugging problems as you get this set up.
Now on the Rails side (using Medusa as our example) the sessions controller will give you an idea how you can work with omniauth/omniauth-shibboleth. You¹ll almost certainly have to modify for your use case, but it has the basics of the redirection for logging in and then using the request.env[Œomniauth.auth¹] hash to deal with attributes. The files config/initializers/omniauth.rb and config/shibboleth.yml.example show how omniauth is configured to get the attributes you want where you want them, set the uid field, etc. (Actually shibboleth.yml.example is old and not very complete now; I¹ll push a more complete version in a moment.) Once you have the attributes in your Rails app you can work with them however you want. E.g. Medusa uses the uid (in our case the eppn) to identify users, which we also store locally along with maybe the email. But assuming that everything is set up correctly the presence of that header when getting the callback from the shibboleth auth provider is the signal that authentication has occurred (and the value is easily relatable to the net id).
As you¹re working on it it can be useful to display the html headers in your view or dump them in the log so that you can see whether shibboleth is passing attributes or not (and hence whether any problems are with the shibboleth set up or with the Rails application).