Subject: The mailing list for listmasters using Sympa
List archive
Re: [sympa-users] Simulataneous local and Shibboleth authentication?
- From: Victoriano Giralt <address@concealed>
- To: address@concealed
- Subject: Re: [sympa-users] Simulataneous local and Shibboleth authentication?
- Date: Wed, 28 Mar 2012 16:36:43 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On 28/3/12 15:40, Mail administrator, Otto J. Makela wrote:
> I've just converted our internal mailing list Sympa server to use
> a Finland-wide academic Shibboleth SSO authentication scheme called
> "Haka" against our local users.
>
> We have also have an external mailing list server that serves both
> our local users and academic users across Finland and the world. A
> large part (but not quite all) of these users could also use the
> same Haka as our internal server.
>
> I understand there are dual-authentication (both local user table
> and external authentication) Sympa installations, but the Sympa
> Wiki does not really go into the details of this, except by reading
> between the lines of the auth.conf file documentation:
> http://www.sympa.org/manual/authentication#authconf_structure
>
> Are there simple how-to instructions that could be integrated into
> this?
shib.conf in Apache configuration
========================
<Location /syma/sso_login/haka>
AuthType shibboleth
ShibRequireSession On
require shibboleth
# require mail ~ @
</Location>
========================
Shib configuration in Sympa's auth.conf
=======================
generic_sso
service_name Click to access using Haka
service_id haka
http_header_prefix mail
email_http_header mail
logout_url
https://sympa.example.fi/Shibboleth.sso/Logout?return=http%3A%2F%2Fsympa.example.fi/sympa
user_table
negative_regexp .*uma.es$
=======================
I have assumed that your robot web interface is at sympa.example.fi
and that you want to name your federated login URL /sympa/haka.
Of course this supposes that you have a working mod_shib2 for Apache2
and that you get mail as one of the attributes in the SAML assertion
(I'd check with Mikael Linden or other Hake expert at hand).
The require in the Apache Shib configuration prevents the
authentication to work in case you do not get a proper e-mail address.
- --
Victoriano Giralt Central ICT Services
Systems Manager University of Malaga
+34952131415 SPAIN
===============================================
Document Freedom Day - Liberate your documents
http://documentfreedom.org/ - March 28th 2012
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFPcyH7V6+mDjj1PTgRA76ZAJsF+dZS4o4aTTJ6tF9rqeLpuY7o1ACgtGDS
MIYqnX2OzKZuCU4Ju+BecIY=
=Jnbo
-----END PGP SIGNATURE-----
-
[sympa-users] Simulataneous local and Shibboleth authentication?,
Mail administrator, Otto J. Makela, 03/28/2012
- Re: [sympa-users] Simulataneous local and Shibboleth authentication?, Victoriano Giralt, 03/28/2012
Archive powered by MHonArc 2.6.19+.