Someone asked how to get Slack SAML SSO working with a Shibboleth IdP. It's pretty straightforward, despite the lack of SP metadata from Slack and the inability of Slack to import IdP metadata. Slack will attempt an authentication when you save its SAML configuration, so you need to set up the IdP first.
We have a group who would like to use our internal University IDs to map campus users to Salesforce users for SSO. There are several ways to achieve this with a Shibboleth IdP and Salesforce, but this is the simplest.
Previously, I tried setting up a more efficient Shibboleth Attribute Authority - one where I could query for a specific attribute value for a specific attribute for a specific user (e.g. does email@example.com have an experimentId attribute with the value 2?). While you can add attribute values to the attribute elements in a SimpleAggregation AttributeResolver … Continue reading Authentication and Authorization with Shibboleth and LDAP
We often run multiple applications on a single server; if the apps all need the same set of attributes they can be treated as a single Service Provider (SP). Sometimes the applications need to be separated, and the obvious, easy way to do this, other than running them on separate servers, or to add a … Continue reading Configuring an SP with Multiple ProviderIDs
OCLC, like many other providers, use IP subnets for access control - e.g. anyone accessing OCLC from an address in the 171.64.x.y range is considered a Stanford user. Off-campus Stanford users currently access OCLC via an EzProxy server on campus. Users authenticate (using WebAuth) to the EzProxy server, then all traffic between the user's browser … Continue reading OCLC Access via Shibboleth
After you've installed the Shibboleth Service Provider (SP) Apache module and daemon, and joined one or more federations, you'll need to edit /etc/shibboleth/shibboleth.xml. The federation will normally give you configuration instructions, but a basic configuration is available from shibboleth.xml. The file has entries for Stanford's test federation (DevFed), Internet2's test federation (InQueue) and Internet2's production … Continue reading Configuring a Shibboleth Service Provider
Neither Stanford nor Yahoo! were ready to use Shibboleth when the interface to Yahoo! music was set up in late summer 2005. However, we wanted to migrate to Shibboleth at a later date, so we used Yahoo!'s Campaign Codes as targeted IDs - once we verified that a person was eligible for the music server … Continue reading MySQL Replication
Our test IdP is now a pair of load balanced servers (actually, they're currently two virtual machines on the same physical server, but this is for testing). idp-dev1 and idp-dev2 are running the lbcd service to enable lbnamed failover; the servers are balanced as idp-dev.stanford.edu, which is currently listed in the InQueue and DevFed (our … Continue reading Shibboleth IdP Load Balancing
I've "hacked" Shibboleth authentication for administrators and posters, and built a Shibboleth-backed TypeKey for comment authentication. Details on the Shibbolized MT site itself. It's really more of a REMOTE_USER hack, so it should work with any other authentication system that can populate the REMOTE_USER environment variable.