Home

Bridging Protocols

Bridging different federation protocols.

RadSecProxy 1.1 Beta

Submitted by Andreas Åkre Solberg [1] on 17 May, 2008 - 22:24

Stig have just released 1.1-beta. He would generally recommend everyone to
upgrade to this one. If you really need maximum stability and don't
want to help test the new features, you may use 1.0p1 though.

The new features since the alpha release are in short:

  • attribute filtering
  • accounting support
  • and improved certificate matching.

There are of course also a number of bugfixes.

If you are currently running 1.1-alpha, then you should upgrade to
the more stable 1.1-beta. I actually hope that everyone will upgrade
to this one.

[ Downloads, more info etc. ]

Setting up an eduGAIN Bridging Element with simpleSAMLphp

Submitted by Andreas Åkre Solberg [1] on 7 March, 2008 - 08:37

Here are some notes on how to setup a bridging element for eduGAIN with the test certificates, and connect to the currently deployed test eduGAIN BEs in RedIRIS and SWITCH etc.

Basicly do a basic install of simpleSAMLphp. Configure two hostnames, one for Remote BE and one for H-BE.

Then configure the metadata:

The shib13-idp-hosted.php file represents your eduGAIN home bridging element. Configure the auth plugin - if you are bridging to SAML 2.0, set it to saml2/sp/initSSO.php, if you are bridging to a Shibboleth federation set it to shib13/sp/init.SSO.php. If you are bridging to A-Select or PAPI, ask the developers. If you want to setup a LDAP login interface at the H-BE it self, set it to auth/login.php.

The shib13-sp-remote.php file represents the remote bridging elements that your home bridging element trusts.

The shib13-sp-hosted.php file represents your eduGAIN remote bridging element. Configure the hostname and the entity ID (providerID).

The shib13-idp-remote.php file represents all the home bridging elements that

Configure Shibboleth 1.3 SP to work with simpleSAMLphp IdP

Submitted by Andreas Åkre Solberg [1] on 13 February, 2008 - 10:20

How to configure a Shibboleth 1.3 SP to work with a simpleSAMLphp IdP or bridge.

Document placeholder

not yet written.

Input welcome.

simpleSAMLphp Advanced Features

Submitted by Andreas Åkre Solberg [1] on 13 February, 2008 - 08:11

Here are some advanced features in simpleSAMLphp that are not covered in the standard install and configuration guides.

Example of topics includes bridging protocols and attribute name mapping, convertion and attribute injection.

Alternative versions available of this document

  • latest version, Corresponding to latest version of simpleSAMLphp (from trunk)
  • version 1.5, Corresponding to simpleSAMLphp v1.5
  • version 1.3, Corresponding to simpleSAMLphp v1.3
  • version 1.1, Corresponding to simpleSAMLphp v1.1
  • version 1.0, Corresponding to simpleSAMLphp v1.0
  • Version: $Id: simplesamlphp-advancedfeatures.txt 2209 2010-03-08 12:41:15Z andreassolberg $

simpleSAMLphp documentation

This document is part of the simpleSAMLphp documentation suite.

This document assumes that you already have a installation of simpleSAMLphp running, configured and working. This is the next step :)

Bridging between protocols

A bridge between two protocols is built using both an IdP and an SP, connected together. To let a SAML 2.0 SP talk to a SAML 1.1 IdP, you build a simpleSAMLphp bridge from a SAML 2.0 IdP and a SAML 1.1 SP. The SAML 2.0 SP talks to the SAML 2.0 IdP, w...

Authentication in SIP

Submitted by Andreas Åkre Solberg [1] on 3 December, 2007 - 12:47
Screenshot of slides

A presentation was held at UNINETT in November 2006 about authentication mechanisms in SIP (Session Initiation Protocol), and I just made it available on the web.

I discuss SAML, Feide, eduroam, 802.1x, NAS-SAML, etc and SIP extensions.


Technology Preview: Feide OpenID

Submitted by Andreas Åkre Solberg [1] on 18 July, 2007 - 08:21

All users that have a Feide ID, can now use their ID with OpenID service providers.

Currently, the Feide OpenID interface is not official in the sense that we cannot guarantee anything. We appreciate if end-users test the service and gives us feedback on how it works, if it works and what feature to implement next.

The Feide OpenID interface supports authentication with OpenID 1.1. I've implemented Simple Registration Extension, but this is not yet as stable as the basic authentication functionality.

How to use Feide OpenID

In this early test-phase of Feide OpenID the URLs are temporary. That means if you start using this test-service you at some points need to update your OpenID references on your website.

The OpenID Provider URL is:

http://feide.erlang.no/openid2/examples/server/server.php

The OpenID Delegation URL should be:

https://openid.feide.no/andreas@uninett.no, where andreas@uninett.no is my Feide name. Replace it with your Feide name.

Shibboleth 1.3 to SAML 2.0 Bridge

Submitted by Andreas Åkre Solberg [1] on 15 June, 2007 - 21:31

As we are waiting for Shibboleth 2.0... and waiting...

I decided to start the day by implementing a Shibboleth 1.3 IdP in PHP. By that I mean, an entity able to issue assertions interpreted by Shibboleth 1.3 SPs. I did not care about writing user interface and authentication towards LDAP backend.

It was pretty straight forward; except from xmldsig which is nontrivial. Started with an assertion with a static nameID and some static attributes for testing. When I had it working, I integrated it with OpenSSO PHP Extension, to perform the authentication via our SAML 2.0 IdP. When the user is returning after authenticating at Feide, I got the attributes and the NameID i need, so I wrap those into the SAML 1.1 AuthNResponse.

I configured a Shibboleth 1.3 SP, with Apache 1.3 and mod_shib. I also installed PHP and wrote a simple attribute viewer, showing all HTTP_SHIB* headers. I added meta data for my Shib IdP, and added all the Feide attributes in a ARP file.