	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: cosign and shibboleth

To: vrao <vrao@xxxxxxxxxxx>
Subject: re: cosign and shibboleth
From: Bill Doster <Bill.Doster@xxxxxxxxx>
Date: Mon, 25 Jul 2005 16:32:10 -0400
Cc: cosign-discuss@xxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.0.3)

(Had to get cosign-discuss reset back to "anyone-can-post-to-it)

Here's my (rough) notes on when I did it some months ago.

I've attached the actual MS-Word document as well as
including a cut-paste of its contents.  Hopefully
you can view the doc since the indentation gets lost
in a cut-paste...  (I've added some of the indentation
and white-space back in)

Once you've already gotten the pre-requisites working,
it's around fifteen minutes of effort.  Trying to get
anything working in one flying leap is ... just asking
for it.
----

Marrying Cosign and Shibboleth

Overview
Shibboleth provides the underpinnings for an Authorization framework for
web-based (and increasingly non web-based) services that can be used both
within an institution and between institutions.  It is designed so that each
institution can continue using its existing Authentication infrastructure with
the institution?s Origin.  This paper documents the pre-requisites and changes
needed to use Cosign for Authentication with an institution?s Shibboleth
Origin.

Pre-requisites

Overview
This document focuses on the changes needed to marry two already functioning
services together, leaving it to the Cosign and Shibboleth documentation to
detail how to bring themselves up.  Below are those aspects of the two systems
that a successful marriage depends upon.

Shibboleth Origin
Chapters 3 & 4 (from
http://shibboleth.internet2.edu/guides/deploy-guide-origin1.2.1.html)
Chap 3 lists the following five requirements
   Apache 1.3.26+
   Tomcat 4.1.18-24 LE Java server and above
   Sun J2SE JDK v1.4.1_01 and above
   mod_jk or mod_jk2
   Shib Origin 1.0+
   An enterprise authentication mechanism
      Mod_cosign
         http://weblogin.org for downloads and documentation

Cosign weblogin service
Not changed in anyway.  The above Shibb origin is simply yet another
Cosign-dependent web-server.


Changes

Overview
Once you have the pre-requisites in place, marrying the two is simply a matter
of having all references to the location of the Origin?s Handle Service (HS) be
protected by Cosign.  The five lines below demonstrate how it?s implemented at a
large institution.

Shibboleth Origin

Apache
   Httpd.conf (or equiv)
        <IfModule mod_cosign.c>
            <Location /shibboleth/HS>
                CosignProtected On
            </Location>
        </IfModule>

Attachment: Marrying Cosign and Shibboleth.doc
Description: MS-Word document

Prev by Date: Fw: cosign and shibboleth
Next by Date: Cookie Deletion in PHP5 on IIS6
Previous by thread: Fw: cosign and shibboleth
Next by thread: Cookie Deletion in PHP5 on IIS6
Index(es):
- Date
- Thread