Opened 12 years ago

Last modified 6 years ago

#94 new enhancement

Shibboleth authentication

Reported by: quentin Owned by:
Priority: normal Milestone:
Component: web Keywords:


We should support Shibboleth authentication, as implemented by MIT Touchstone.

The client in RT#926238 would like to know when this happens.

Change History (6)

comment:1 Changed 11 years ago by adehnert

I got started on this, but I'm sorta stuck now and probably won't to be able to finish it.

Shibboleth consists of an Apache module that defines an "AuthType? shibboleth" and some related instructions, and a separate daemon (by default running as root) that does some sort of work.

Getting it running on a VM of my own (see was a pretty trivial matter of following a instructions. I tried installing it on scripts-f11-test, but ended up with a 404 on the post-Touchstone landing page, /Shibboleth.sso/SAML/POST. I can't find what's supposed to make Shibboleth.sso work --- I think the Shibboleth Apache module is supposed to somehow hijack that page based on some configuration in /etc/shibboleth/shibboleth2.xml, but I'm not totally sure. So far as I can tell, it is *not* supposed to configured by defining a handler or alias or the like in the normal Apache configuration.

Future endeavors may find the following pages useful:

comment:2 Changed 11 years ago by adehnert

Dude in RT #1177832 would probably like to know if this happens soon, though I'll avoid implying we can tell him...

comment:3 Changed 10 years ago by andersk

The security considerations here are complicated. When you log into MIT Touchstone, the Touchstone server will unconditionally forward your identity to every website that the Touchstone servers trust. So, unless that gets fixed, we don’t want it to be the case that any scripts user can make a website that the Touchstone servers trust. We need some kind of proxy that only forwards your identity to websites that you authorize explicitly (perhaps with an “automatically trust every scripts website” checkbox for people who don’t care about privacy).

comment:4 Changed 10 years ago by adehnert

Other SAML implementations might also work. In particular, mod_mellon ( may be promising. There's also mod_auth_saml, but achernya thinks it's bad (not sure why).

See discussion on -i touchstone around 3PM on 6/9/2011.

comment:5 Changed 10 years ago by achernya

mod_auth_saml, documented at the ZXID website, has slightly scary configuration. However, what scares me more is the phrase "Memory management needs an audit."

mod_mellon has more normal-seeming configuration, but without digging into the source code of both it is hard to see which is better.

Additionally, it seems that mod_auth_saml may only be 1.0, whereas mod_mellon is definitely 2.0

comment:6 Changed 6 years ago by adehnert!topic/modwsgi/3Oi4_oiXBlU is suggestive that "it is *not* supposed to configured by defining a handler or alias or the like in the normal Apache configuration" may no longer be true, and SetHandler may work now. has some more information. (Also, it looks like URLs have changed; and replace the URLs in my first comment.)

Note: See TracTickets for help on using tickets.