The mailing list for listmasters using Sympa

[Victoriano Giralt <address@concealed>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 28/3/12 15:40, Mail administrator, Otto J. Makela wrote:
> I've just converted our internal mailing list Sympa server to use
> a Finland-wide academic Shibboleth SSO authentication scheme called
> "Haka" against our local users.
> 
> We have also have an external mailing list server that serves both
> our local users and academic users across Finland and the world. A
> large part (but not quite all) of these users could also use the
> same Haka as our internal server.
> 
> I understand there are dual-authentication (both local user table
> and external authentication) Sympa installations, but the Sympa
> Wiki does not really go into the details of this, except by reading
> between the lines of the auth.conf file documentation: 
> http://www.sympa.org/manual/authentication#authconf_structure
> 
> Are there simple how-to instructions that could be integrated into
> this?
shib.conf in Apache configuration

========================
<Location /syma/sso_login/haka>
  AuthType shibboleth
  ShibRequireSession On
  require shibboleth
  # require mail ~ @
</Location>
========================

Shib configuration in Sympa's auth.conf
=======================
generic_sso
   service_name         Click to access using Haka
   service_id           haka
   http_header_prefix   mail
   email_http_header    mail
   logout_url
https://sympa.example.fi/Shibboleth.sso/Logout?return=http%3A%2F%2Fsympa.example.fi/sympa

user_table
        negative_regexp   .*uma.es$
=======================

I have assumed that your robot web interface is at sympa.example.fi
and that you want to name your federated login URL /sympa/haka.

Of course this supposes that you have a working mod_shib2 for Apache2
and that you get mail as one of the attributes in the SAML assertion
(I'd check with Mikael Linden or other Hake expert at hand).

The require in the Apache Shib configuration prevents the
authentication to work in case you do not get a proper e-mail address.

- -- 
Victoriano Giralt          Central ICT Services
Systems Manager            University of Malaga
+34952131415               SPAIN
===============================================
Document Freedom Day - Liberate your documents
http://documentfreedom.org/ - March 28th 2012
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPcyH7V6+mDjj1PTgRA76ZAJsF+dZS4o4aTTJ6tF9rqeLpuY7o1ACgtGDS
MIYqnX2OzKZuCU4Ju+BecIY=
=Jnbo
-----END PGP SIGNATURE-----