{{{ Hopefully the attached document on installing shibboleth with Kuali Ready will answer your questions. Ken Ken Schroyer Kuali Ready Product Manager ITS Disaster Recovery Strategy Manager AIS Project Manager The Pennsylvania State University Administrative Information Services (AIS) 3K Shields Building University Park, PA 16802 Voice: (814)863-8888 Facsimile (814)863-6123 email krs5@psu.edu AIS information http://ais.its.psu.edu/ }}} -- Kuali Ready – Integration for Shibboleth access October 29, 2010 This document describes the interactions between Kuali Ready and the federated identity management framework using the Shibboleth software and protocols. === Shibboleth Service Provider (SP) Configuration === The Apache instance hosting Kuali Ready will use the “require shibboleth” directive to forward access control requests to Shibboleth to process via definitions in the shibboleth2.xml configuration file. Currently, Path name=”secure”. In the United States, the Kuali Ready SP will use the !InCommon metadata to discover identity providers (IdP). All institutions needing access to Kuali Ready must be registered with !InCommon. In Canada, the SP will use the Canadian Access Federation metadata (https://caf-shibops.ca/CoreServices/cafshib_metadata_signed.xml). The Kuali Ready SP will examine the SHIB_IDENTITY_PROVIDER attribute to determine whether to allow access to Kuali Ready. Only IdP’s that are defined to Kuali Ready will be allowed access to the application. === Shibboleth Authentication Details === __Location__ Kuali Ready will examine the SHIB_IDENTITY_PROVIDER header and compare this value to an application database table to determine the user’s Location. In the context of the Kuali Ready application, Location means which database the user and their continuity plans will be placed in, as well as several other aspects of the application behavior. It does not refer to the user’s physical location. __Identity Attributes__ Kuali Ready requires the following identifiers (detail below) for each user and the attribute ePPN value shouldn’t be changed within a campus context. IdP must assert these attributes for their users to access Kuali Ready. Also it is important that the email (mail) attribute value has to match your campus directory. Please contact us (kualiready-tech-support@lists.berkeley.edu) if you have any questions about this. '''''eduPersonPrincipalName''''' (OID: 1.3.6.1.4.1.5923.1.1.1.6) The ePPN value alone should be unique within the campus identity provider context. It may conform to any format convention but may not exceed 256 characters in length. Kuali Ready will use the complete ePPN value to uniquely identify a user. '''''givenName''''' (OID: 2.5.4.42) '''''sn''''' (OID: 2.5.4.4) '''''title''''' (OID: 2.5.4.12) '''''mail''''' (OID: 0.9.2342.19200300.100.1.3) '''''telephoneNumber''''' (OID: 2.5.4.20) '''''displayName''''' (OID: 2.16.840.1.113730.3.1.241) When using Shibboleth authentication, user attributes such as name, email address and phone number will not be updateable via the Kuali Ready application. User attributes cached in Kuali Ready will be refreshed each time the user accesses the application. Integration of Kuali Ready with Shibboleth This section describes the steps a campus takes to integrate its web single sign-on system with Kuali Ready via Shibboleth. Membership in InCommon (for US) or CAF (for Canada) is required. Initial Setup Send email to kualiready-tech-support@lists.berkeley.edu and provide the following information: 1. Shibboleth technical contact name, telephone number and email address. 2. Helpdesk contact name, telephone number and email address for production support issues with identity provider. 3. Anticipated IdP QA testing date and go live date. 4. EntityID of your IdP Once this information is provided, the Kuali Ready SP will be configured to recognize your IdP. The metadata for the Kuali Ready SP is registered with the InCommon or CAF. Campuses should use the following metadata to configure their IdP to access Kuali Ready. For US, use http://www.incommonfederation.org/metadata.html For Canada, use https://caf-shibops.ca/CoreServices/cafshib_metadata_signed.xml Testing The Shibboleth entry point for the Kuali Ready staging system is: https://xxx.ready-staging.kuali.org/yyy Where xxx is either ‘us’ for the United States or ‘ca’ for Canada. And yyy* is a custom assigned acronym for your campus. For example, University of California, Berkeley is: https://us.ready-staging.kuali.org/ucb and University of Toronto is: https://ca.ready-staging.kuali.org/ut The Shibboleth entry point for the Kuali Ready production system is: https://xxx.ready.kuali.org/yyy Where xxx is either ‘us’ for the United States or ‘ca’ for Canada. And yyy* is a custom assigned acronym for your campus. * The custom assigned url for your campus will be emailed to you when they are assigned. Once the IdP has been configured for the Kuali Ready SP, you may proceed to test. 1. Access the staging URL above. 2. Authenticate to your IdP. 3. If the Shibboleth transaction is successful, you should see the Kuali Ready welcome page. 4. If the Kuali Ready logon page appears, then either a value was not asserted for ePPN or your location is not yet defined to Kuali Ready. An error message will explain the condition. We recommend the custom assigned url to be added as a link on your continuity planning website. Support If there is any issue with accessing Kuali Ready via Shibboleth send email to our technical support email kualiready-tech-support@lists.berkeley.edu. Notify our System Administrators (kualiready@berkeley.edu) 48 hours in advance to any scheduled maintenance to your campus IdP. The Kuali Ready System Administrators will notify your campus IdP Helpdesk 48 hours in advance of any scheduled maintenance to our production system.