-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shibboleth: update shibboleth2.xml entityID to end with "sp" rather than "shibboleth" #2104
Comments
More importantly, we've already updated the example at http://guides.dataverse.org/en/latest/installation/shibboleth.html to be However, all of our servers still have the old style ending in "shibboleth" rather than "sp". For example, https://dataverse-demo.iq.harvard.edu/Shibboleth.sso/Metadata shows @scolapasta and @kcondon I'm thinking we could use this issue to work on making sure all of our servers use the new ending. Also, we should re-define which servers we want Shibboleth support on. Here's a potential list:
In INC01226245 we're working on getting https://dataverse.harvard.edu registered with InCommon at https://incommon.org/federation/info/all-entity-categories.html#SPs but we could probably have a few testing or staging instances. In the past we've done "out of band" metadata exchanges for Harvard's Identity Provider (IdP) but since the Harvard IdP is part of InCommon we should probably treat it like all other IdPs in that federation. |
The Entity IDs doc also has a warning that says
So in any case it's important to choose wisely before registering and using an ID. Add to #2884? |
https://dataverse-demo.iq.harvard.edu was renamed to https://demo.dataverse.org in #2651. To me this issue is about registering the following two servers at https://incommon.org/federation/info/all-entities.html#SPs
As of this writing https://dataverse.harvard.edu is using a non-recommended entityID (doesn't end in "sp") and https://demo.dataverse.org isn't configured for Shibboleth at all (after the rename). To make progress on this I could at least reconfigure demo with a recommended entityID (I may want to change the docs from shibtest to demo) and get it working again with http://www.testshib.org . Incidentally, I noticed that many QA/testing/staging/demo Service Providers are registered with InCommon... ... and I think one server should be enough but I'll check with @kcondon if he'd like more from the list at #2104 (comment) registered with InCommon. |
I checked in with @kcondon and he said that ideally the following servers would be registered with InCommon:
I'm adding public vs. private above because I think that all servers would necessarily become public as part of the InCommon registration process. This means that they would need to be given stable hostnames and have real SSL certs, etc. I don't think we should bother registering https://apitest.dataverse.org and in general I think there's agreement that this should some day be deprecated in favor of https://demo.dataverse.org Likewise, it's probably not worth registering http://phoenix.dataverse.org . It's actively used but we don't need to clutter up the InCommon list and there seem to be enough other hosts to test on. Same with cluster/staging which is used for load testing. I'm planning on using https://shibtest.dataverse.org for testing in the near term but I don't think it needs to be registered with InCommon either. We can use beta or some other server. |
I just changed the entityID on https://demo.dataverse.org to the one we want to use (
Running 2016-03-07 update: The TestShib metadata expired again, resulting in the usual "Something horrible happened... Error Message: SAML 2 SSO profile is not configured for relying party" error: Rather than re-uploading our metadata I configured https://demo.dataverse.org for InCommon (as I mentioned at #2937) even though we haven't been registered with them. |
As of yesterday (INC01606454) https://dataverse.harvard.edu/Shibboleth.sso/Metadata and https://dataverse.harvard.edu/Shibboleth.sso/DiscoFeed are back in action. I chatted with @bencomp about this at http://irclog.iq.harvard.edu/dataverse/2016-02-25 We still need to (via INC01226245):
Once these are registered with InCommon I'll consider this issue ready for QA. |
A week ago the people working on INC01226245 replied and said they are actively trying to resolve it. |
@kcondon and I discussed how #2937 is really a better issue to leave open for getting Harvard servers registered with InCommon in INC01226245 since it's about federated login so I'm passing this to QA to close. I changed the title of this issue to be about changing the entityID to end in "sp" rather than "shibboleth" which we have done on all of our servers and in the guides. |
Per https://spaces.internet2.edu/display/InCFederation/Entity+IDs it has been recommended to use to have our Shibboleth entityID be in this form...
... rather than this one:
We should update the example at https://github.com/IQSS/dataverse/blob/master/conf/vagrant/etc/shibboleth/shibboleth2.xml
The text was updated successfully, but these errors were encountered: