Discojuice in a shibboleth only environment

[Willem Elbers]

Hi,

we are looking into possibilities to use discojuice in our shibboleth
environment.
We don't use any simplesaml so far and I am wondering if it is
possible in this scenario to use discojouce as our wayf frontend?

We have managed to get the frontend working quite fast, but as the
user selects an idp in the discojuice list, we get the entityID in the
discojuice callback. Do we need any special configuration or action
for the shibboleth SP to use this callback?

Cheers,

Willem Elbers
Max Planck Institute for Psycholinguistics

[Andreas Åkre Solberg]

On 20. juli 2011, at 08:48, Willem Elbers wrote:

Hi,

we are looking into possibilities to use discojuice in our shibboleth
environment.

Cool. I'd be happy to guide you trough the process of being early deployers :)

We don't use any simplesaml so far and I am wondering if it is
possible in this scenario to use discojouce as our wayf frontend?

Absolutely.

There's a few things that is worth mentioning though:

* DiscoJuice uses a simple API call to get the current country of the user.

* You somehow need to prepare the DiscoJuice JSON metadata feed

* You should consider the options for fallbacks for users without javascript enabled.

We have managed to get the frontend working quite fast, but as the
user selects an idp in the discojuice list, we get the entityID in the
discojuice callback. Do we need any special configuration or action
for the shibboleth SP to use this callback?

The default example I think implements a HTTP Redirect in the callback, using the entityid as a query string parameter to the new url. I'm not familiar with Shibboleth, so I am not sure exactly how you tell Shibboleth to login using a specific IdP - most likely there is a endpoint at the SP that you can redirect the user to, in order to start login.

Andreas

[scho...@terena.org]

Willem,

I ran up an instance of Shibboleth SP and DiscoJuice to see how they'd
interoperate. Success!

From the default shibboleth configuration I configured the following in
shibboleth2.xml:

<!-- An example supporting the new-style of discovery service. -->
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="DS"
relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://full-hostname.terena.org/wayf/disco.html"/>
<!--<SessionInitiator type="SAMLDS"
URL="https://ds.example.org/DS/WAYF"/>-->
</SessionInitiator>

which is just adding isDefault="true" and changing the SAMLDS URL to the
webpage where discojuice is setup (example webpage is attached). It
requires access to "feed.json" and "country.json" files that I took from
another working instance of DiscoJuice (generated by feed.php and
country.php) and then renamed.

I placed everything in /wayf including discojuice (/wayf/discojuice
contains the contents of discojuice/www/discojuice ). With JavaScript
turned off you have to manufacture a URL that can be clicked - example in
the attached webpage. I had to add the following to my discojuice instance
as these variables weren't being defined:

Index: templates/central.tpl.php
===================================================================
--- templates/central.tpl.php (revision 2798)
+++ templates/central.tpl.php (working copy)
@@ -112,6 +112,7 @@

+global $returnidparam, $returnto;
$spentityid = !empty($_REQUEST['entityID']) ? $_REQUEST['entityID'] : null;
$returnidparam = !empty($_REQUEST['returnIDParam']) ?
$_REQUEST['returnIDParam'] : 'entityID';
$returnto = !empty($_REQUEST['return']) ? $_REQUEST['return'] : null;

it should work without having to set global on these variables - but it
didn't for some reason (maybe I have a screwy PHP install - or these
variable are used somewhere else within simpleSAMLphp and the later show()
function call is accessing them.

Q: What tools do you have available to generate a dynamic "disco.html" file?

If your webserver also has PHP then the DiscoJuice/simpleSAMLphp code
could be of use. I believe that Roland Heidberg has a DiscoJuice feed
generator in Python. Not sure whether this is parsed directly from the
SAML Metadata that Shibboleth SP downloads (which would be the most useful
in your case).

-Brook

[scho...@terena.org]

Ignore that last comment about the "global" patch. I was working from an
older copy of discojuice in production. Everything else is valid.

-Brook

[scho...@terena.org]

NB: I'm resending this message as Google Groups doesn't seem to be
rendering my previous message with an attachment correctly (or the HTML
attachment was sent inline).

Willem,

I ran up an instance of Shibboleth SP and DiscoJuice to see how they'd
interoperate. Success!

From the default shibboleth configuration I configured the following in
shibboleth2.xml:

<!-- An example supporting the new-style of discovery service. -->
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="DS"
relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://full-hostname.terena.org/wayf/disco.html"/>
<!--<SessionInitiator type="SAMLDS"
URL="https://ds.example.org/DS/WAYF"/>-->
</SessionInitiator>

which is just adding isDefault="true" and changing the SAMLDS URL to the

webpage where discojuice is setup (example webpage in previous message).

It requires access to a DiscoJuiceJSON "feed" and "country" output files
(alluded to in Andreas' message) which I took from another working

instance of DiscoJuice (generated by feed.php and country.php) and then

renamed - so the results are static - possibly not what you want - it
depends on the volatility of your IdPs.

I placed everything in /wayf including discojuice (/wayf/discojuice
contains the contents of discojuice/www/discojuice ). With JavaScript

turned off you have to manufacture a URL that can be clicked and manually
list IdPs in the .html file - example in the attached webpage (which lists
3 providers only - while the "feed" provides more).

Q: What tools do you have available to generate a dynamic "disco.html" file?

If your webserver also has PHP then the DiscoJuice/simpleSAMLphp code

could be of use and stripped down to the bare minimum - alternatively
maybe the CLI version of PHP could be used to generate the necessary
files.

I believe that Roland Hedberg has a DiscoJuice feed generator in Python
which might be of use.

-Brook

[Andreas Åkre Solberg]

On 31. juli 2011, at 16:15, scho...@terena.org wrote:

>> Hi,

Hi, thanks for your interest in using DiscoJuice.

>> we are looking into possibilities to use discojuice in our shibboleth
>> environment.
>> We don't use any simplesaml so far and I am wondering if it is
>> possible in this scenario to use discojouce as our wayf frontend?

With the new hosted version of DiscoJuice 2.0 I think integration with Shibboleth should be even simpler that earlier.

https://rnd.feide.no/2011/11/02/discojuice-2-0/

>> We have managed to get the frontend working quite fast, but as the
>> user selects an idp in the discojuice list, we get the entityID in the
>> discojuice callback. Do we need any special configuration or action
>> for the shibboleth SP to use this callback?

I could help debug this, difficult to say, without looking at how it is deployed and which metadata is fed into the system.

Are you using the RCTS federations? Would it match to use the automatically generated rctsaai feed at https://static.discojuice.org/feeds/

Looking forward to hear more about your deployment, and I'll be happy to help you out, if you have questions?

Andreas

[Willem Elbers]

Hi Andreas,

thanks for the reply.

The new release of discojuice has some promising features.
We are planning to test v2 today or early next week.

Cheers,
Willem