Menu
▾
▴
Re: [Bodington-developers] Bodington with SP and IdP
|
From: Matthew B. <mat...@co...> - 2005-06-06 14:35:09
|
Andrew Booth wrote: > >>>At the Bodington behind the SP, we have mapped /site and /shibsite to the >>>same bodington servlet. The Shibboleth servlet filter is set to protect > > the > >>>/shibsite URLs but not the /site ones, so the same resources can be >>>shib-protected or not depending on the URL used. > > >>Would it be preferable to use one URL for all access to Bodington from a >>user support point of view? > > > Maybe, but we have to allow non-shib operation of Bodington so that the Shib > filter doesn't kick in during normal operation. Using the /site URL as > normal provides this. Just one of the issues that came up when we were doing the WebAuth integration here at oxford was that having two URLs depending on which authentication method was going to be used would cause problems for users. It means you can't give out a definite URL in your lectures because it depends on who your audience are. >>What happens if the visitor doesn't give out username information? >>So are you putting these users into the pass_phrase table? > > > If the visitor's IdP doesn't release the eduPersonPrincipalName attribute, > the visitor doesn't get in. Yes - the users get put into the pass_phrase > table with a null or dummy passphrase. If necessary, we could prevent them > from logging in except via Shib. Would having a shibb_user table be a simpler/cleaner way to get this to work? Then users could have a shibb login and a bodington login associated with the same user. It would also mean that then existing installs wouldn't have to alter tables. Also it makes it easy to tell which users are shibb ones and which are internal bod ones. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
