...
I enabled the eduPersonScopedAffiliation and eduPersonPrincipalName attributes in resolver.xml, and added eduPersonPrincipalName to arp.site.xml. This enables setting REMOTE_USER to the authenticated user name in the SP application. To test getting attributes from the MIT LDAP server, I configured resolver.ldap.xml to do an anonymous bind to the server, and, for nowinitially, mapped the eduPersonPrincipalName attribute to the "mail" LDAP attribute, as eduPersonPrincipalName is was not currently part of the schema on ldap.mit.edu at the time; to use this configuration, I changed the resolverConfig setting in idp.xml accordingly. Note that I was unable to bind successfully using GSSAPI in brief testing; the error "No valid credentials provided" was logged in shib-error.log, even when I tried initializing a proper ticket cache before starting tomcat. (The GSSAPI bind had worked in testing WebAuth's mod_webauthldap module).
After the ldap.mit.edu schema was updated to populate additional eduPerson attribute values, I added these and some other common LDAP attributes to arp.site.xml , and reverted the mapping of eduPersonPrincipalName to "mail" in resolver.ldap.xml.
SP
See https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/SPLinuxInstall for information on installing the SP on Linux. For posteverything, I downloaded and installed all of the RPMs from:
...
| No Format |
|---|
ScriptAlias /shib-testenv "/var/www/cgi-bin/testenv.cgi" <Location /shib-testenv> AuthType shibboleth ShibRequireSession On require valid-user </Location> |
For testing, foonalagoona (IdP) and posteverything (SP) are configured as a "bilateral deployment"; I started with the instructions at:
...
The shibboleth.xml file is here.
I modified the distributed AAP.xml to add a Header value for eduPersonNickname, and uncommented the sections defining the eduPerson and common LDAP attributes.