No internet connection

Help choosing a path for shibboleth integration

By Joseph Elsherbini @elsherbini2020-04-08 14:02:17.219Z

Talkyard is an amazing piece of software. I'm hoping to use it to help researchers at my university share best practices and help each other with data analysis. You can see an example version of the site at https://www.mit.edu/~realdata/help/ .

I'm trying to move the website to be a subdomain of the university website and have people log in using their university credentials. They use Shibboleth and they only support the Apache's Shibboleth module. Our IS+T department is helping me and offered two paths they thought were possible and I wanted to see what you thought before proceeding.

  1. In the past they supported another service that ran on nginx by having both Apache and nginx running on the same server.

  2. They also run and support a CAS server that they use for their GitHub integration.

I'm very inexperienced when it comes to auth questions, so I'm not sure if either of these is obviously easier to integrate with Talkyard, or if I'd need more information from IS+T before choosing. Do you have any thoughts?

  • 2 replies
  1. KajMagnus @KajMagnus2020-04-09 12:34:12.422Z

    Hi Joseph: Alt 2 should work, not now but soon. — As per the CAS docs, CAS supports OpenID Connect (OIDC), which I have in mind to add to Talkyard. I hope to start with that next week — will probably take one or two weeks.

    Would you like to ask the IS+T people if the CAS server supports OIDC? (not impossible the CAS server version is old, or something else, so that it does not yet support OIDC)

    The Apache Shibboleth module — that's the Apache Web Server plus mod_shib? Would you like to ask them if that's correct, and if mod_shib supports OIDC or not? (I think it doesn't, I think it's for SAML only)

    Thanks for the link to the example version of the site

    1. EJoseph Elsherbini @elsherbini2020-06-09 13:36:17.365Z

      Thanks so much for replying.

      I'm working with them to understand what the CAS server situation is here. It looks like it might not be the apero product but rather something internally made, so it's hard to know if it is up to spec. The person helping said they found a "urlpattern: url(r'^openid/complete/$', callback, name='openid_callback')" in the code, but more testing would have to be done.

      As for the apache question, the person who answered me said:

      The apache shibboleth setup, is normally apache + mod_shib + shibd (standalone process running on the machine, which holds access to the key material, and manages the local copy of metadata). For some of our apps (Drupal8), we dispense with the mod_shib and shibd, and use SimpleSAMLPHP (which does it all in PHP).

      So I think you are riht that it is SAML only.