Shibboleth authentication

[quentin]

We should support Shibboleth authentication, as implemented by MIT Touchstone.

The client in RT#926238 would like to know when this happens.

[adehnert]

I got started on this, but I'm sorta stuck now and probably won't to be able to finish it.

Shibboleth consists of an Apache module that defines an "AuthType? shibboleth" and some related instructions, and a separate daemon (by default running as root) that does some sort of work.

Getting it running on a VM of my own (see ​http://potosi.mit.edu/~alex/shib.php) was a pretty trivial matter of following a instructions. I tried installing it on scripts-f11-test, but ended up with a 404 on the post-Touchstone landing page, /Shibboleth.sso/SAML/POST. I can't find what's supposed to make Shibboleth.sso work --- I think the Shibboleth Apache module is supposed to somehow hijack that page based on some configuration in /etc/shibboleth/shibboleth2.xml, but I'm not totally sure. So far as I can tell, it is *not* supposed to configured by defining a handler or alias or the like in the normal Apache configuration.

Future endeavors may find the following pages useful:

• ​https://wikis.mit.edu/confluence/display/TOUCHSTONE/Provisioning+Steps (MIT's instructions on how to get MIT's IdP to recognize your SP, and similar)
• ​https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxSRPMBuild (building Shibboleth RPMs from the SRPMs)
• ​https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxInstall (installing Shibboleth on Linux)

[adehnert]

Dude in RT #1177832 would probably like to know if this happens soon, though I'll avoid implying we can tell him...

[andersk]

The security considerations here are complicated. When you log into MIT Touchstone, the Touchstone server will unconditionally forward your identity to every website that the Touchstone servers trust. So, unless that gets fixed, we don’t want it to be the case that any scripts user can make a website that the Touchstone servers trust. We need some kind of proxy that only forwards your identity to websites that you authorize explicitly (perhaps with an “automatically trust every scripts website” checkbox for people who don’t care about privacy).

[adehnert]

Other SAML implementations might also work. In particular, mod_mellon (​http://code.google.com/p/modmellon/) may be promising. There's also mod_auth_saml, but achernya thinks it's bad (not sure why).

See discussion on -i touchstone around 3PM on 6/9/2011.

[achernya]

mod_auth_saml, documented at the ​ZXID website, has slightly scary configuration. However, what scares me more is the phrase "Memory management needs an audit."

mod_mellon has more normal-seeming configuration, but without digging into the source code of both it is hard to see which is better.

Additionally, it seems that mod_auth_saml may only be 1.0, whereas mod_mellon is definitely 2.0

[adehnert]

​https://groups.google.com/forum/#!topic/modwsgi/3Oi4_oiXBlU is suggestive that "it is *not* supposed to configured by defining a handler or alias or the like in the normal Apache configuration" may no longer be true, and SetHandler may work now. ​https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig has some more information. (Also, it looks like URLs have changed; ​https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall and ​https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxSRPMBuild replace the URLs in my first comment.)