eduID: Epic Overview #116
Comments
|
We need native Shibboleth support provided by the Shibboleth FastCGI daemon that is then called by the Nginx FastCGI authorizer (in order to support a FastCGI authorizer, one also has to apply a patch to Nginx). This is really quite a workflow 😅 I just tried to do this on debian vm got stuck for now. One also has to rebuild Shibboleth with FastCGI support (which requires other custom built libraries). Switch also provides some documentation about how to install a shibboleth service provider |
|
It's quite a mess :) |
|
I managed to compile an older version of shibboleth and follow the steps for nginx integration. We now have a custom version of shibboleth-sp below /opt. Next thing will be to mess around with You already registered studentenportal at the AAI registry? |
I basically don't know anything about Shibboleth :D
Partially. I still have the documents somewhere, they've been signed over a year ago though. I'm not sure if they'll still accept them. We can try though. |
|
Interesting idea: https://github.com/edx/configuration/wiki/Setting-Up-External-Authentication#shibboleth You could run a separate Apache instance just for the Shibboleth endpoint. |
|
I still have the documents (SWITCHaai Federation Partner Agreement) here, but they're so old now that I will discard them. If you decide to implement this feature, you should re-apply and fill out all documents. They need to be signed by the SWITCHaai Participant (VSHSR), a SWITCHaai member that recommends you (HSR or another participant) and SWITCH. |
|
The IT Helpdesk just asked me about the current state of the application. (by sending me a scanned version of the very document you mentioned.) I think I can't do this on my own so would you dbrgn like to join me to implement it this semester? |
|
The first step would probably be to either switch to Apache to be able to use the official Shibolleth client, or to compile a custom Nginx version with the https://github.com/nginx-shib/nginx-http-shibboleth module. I'd probably lean towards the first approach, even though I like Nginx much much more than Apache. If you want, @saspeed, you could do the Nginx -> Apache migration as the first step. This also requires the use of the mod_xsendfile module (which is supported natively in Nginx). This module is used to control the access to the document downloads. Once that's done, I could probably help with the implementation (although I don't really know how the integration with Shibolleth would look like in practice). Also, don't forget this part:
|
|
Having not much experience with python deployment on apache I'll consider this issue a major leap in hs16 which ill need to do a lot of research for. |
|
Possibly @bananatreedad might be interested in a collaboration, he's currently studying in Biel. I told him about the Studentenportal yesterday. A multi-site solution would require Shibboleth. |
|
Regarding Python deployment on Apache I think mod_wsgi is the way to go. |
|
@Murthy10 here the issue about the eduID-Login implementation. Note that this issue was originally created for SwitchAAI. |
|
Answer of mail request at switch.ch:
|
|
I think this is still relevant. |
|
Hrm. I thought they had an easier integration than the whole SwitchAAi-Shibboleth-thing in the meantime... |
|
Current state: @Murthy10 has started with the setup, but the budget did not suffice to finish the implementation. Next steps: @openhsr/vorstand (@flObvious ) coordinates with gnice how to continue (or finds a volunteer who wants to implement it.) |
See https://wiki.shibboleth.net/confluence/display/SHIB2/Integrating+Nginx+and+a+Shibboleth+SP+with+FastCGI
The text was updated successfully, but these errors were encountered: