Project index

Shibboleth deployment for Sakai VRE demonstrator

A page for collecting and recording issues relating to a Shibboleth federation and deployment to provide access control across the Sakai VRE Demonstrator partner sites.

Contents:

1. Summary of requirements at each site

In terms infrastructure, we require at each site:

[Shibboleth component diagram]]

2. Partner portal sites

Site

Portal URI

Lancaster

http://redress.lancs.ac.uk:8080/portal

Daresbury

http://rhine.dl.ac.uk:8080/portal

Oxford

http://sakai-vre-demo.oucs.ox.ac.uk:8080/portal

Portsmouth

http://portals.dsg.port.ac.uk/

3. Local authentication mechanisms

What local authentication are the various sites using?

Site

Mechanism used

Lancaster

LDAP

Daresbury

Active Directory/LDAP (*)

Oxford

WebAuth (Kerberos) http://webauth.stanford.edu/

Portsmouth

?

(*) based on comments from David Spence at RAL - we are assuming that Daresbury will use the same system. "Yes, it is all one system Daresbury/RAL/CCLRC are all using the same domain, i.e. our IdP should work for people at Daresbury."

The Active Directory is compatible with Kerberos (ie the AD is effectively a KDC and so can be used by UNIX domain apps e.g. we use if with Apache+mod_auth_kerb to provide the authentication for Shibboleth). The AD also has a LDAP interface for discovering information about principles which we use to generate Shibboleth attributes.

4. Local attribute authorities

What attribute sources are the various sites using?

Site

Attribute source

Lancaster

LDAP

Daresbury

Active Directory/Kerberos (*)

Oxford

LDAP

Portsmouth

?

(*) based on comments from David Spence at RAL - we are assuming that daresbury will user the same system. (See also comments in previous section.)

5. Avaliable Shibboleth IdP Deployments

This section summarizes what we know about existing Shibboleth IdP deployments at each site, that are available to be used with the Sakai VRE demonstrator. Each VRE system deployment will need a corresponding Shibboleth SP deployment.

Site

IdP Deployment

Federations

Lancaster

None?

-

Daresbury

ShibGrid

InQueue, (SDSS soon?)

Oxford

Custom + SPIE

InQueue, (SDSS soon)

Portsmouth

?

-

6. Sakai VRE host platforms

What local hosts and platform software (e.g. Apache, IIS, etc.) are the various sites using to serve their Sakai VRE environment?

Site

Platform used

Lancaster

Linux Apache/2.0.50 Unix mod_ssl/2.0.50 OpenSSL/0.9.7c mod_jk2/2.0.2 PHP/4.3.9

Daresbury

?

Oxford

Scientific Linux 4.2 (Redhat enterprise clone), Apache 2.0, Tomcat 5.5.16, Java 1.5

Portsmouth

?

7. Core attributes

What core attributes (groups membership, user information, etc.) need to be available project-wide (hence across the Shibboleth federation) to provide basic operational controls?

Site

Local attribute

Shibboleth attribute

(Common)

preferredMail

urn:mace:dir:attribute-def:preferredMail (email)

(Common)

initials

urn:mace:dir:attribute-def:initials

(Common)

cn

urn:mace:dir:attribute-def:cn (common name, may be multiple)

(Common)

sn

urn:mace:dir:attribute-def:sn (surname)

Oxford

oucsStatus

urn:mace:dir:attribute-def:oucsStatus

Other attributes suggested are:

See also SakaiVre/AttributeMappingsTable for related information.

The attributes should probably also be related to the EDUCAUSE eduPerson attributes. Details of these can be found here:

8. Sakai login and personalization mechansism

9. Choice of Shibboleth federation

Currently, we are recommending SDSS http://www.sdss.ac.uk/ as the federation for Shibboleth access control across this project.

Alternatives might be:

10. References


-- GrahamKlyne 2006-06-19 13:25:59

Creative Commons License
The content of this wiki is licensed under the Creative Commons Attribution-ShareAlike 2.0 England & Wales Licence.

OSS Watch is funded by the Joint Information Systems Committee (JISC) and is situated within the Research Technologies Service (RTS) of the University of Oxford.