shibb portal proof of concept
Tue, Nov 7, 2006
Well, it was like treading on egg shells but I finally managed to shibb Sakai. At the moment, to be strict, it’s just shibbing the admin workspace as the Guanxi portal will auto log you in based on your email address which it gets from your IdP.
What it means is, as a proof of concept, you can specify a bunch of email addresses, the owners of which can admin your sakai. So how is it done? Well I won’t go into too much detail here as the patient is in transit to Dr. Guanxi’s Shibb Clinic but it was ultra easy in the end.
Normally, to login to Sakai, you go to:
and login as admin. Now, to shibb-in as the admin user, you go to:
it’s a new shibb portal (portal-shibb) with a Guanxi binding (gx). The /gx servlet is an auto-login servlet. That’s all it does. It checks your email address from the SAML attributes and if it matches, it logs you in and redirects to the main Sakai site on /portal.
The Guanxi SAML Engine is completely separate at the moment. It’s actually running on another server but I’ll add it to the portal in due course. The main action happens in the Guard which is protecting /shibb/gx. Before you get anywhere near the auto-login servler, you’re hooked, spun round and sent off to the WAYF and then your IdP. The SAML Engine then gets your attributes and sends them to the Guard via their web services. The Guard then steps aside and lets you in to /shibb/gx.
The next part is the gx servlet pulls your email address from the headers and logs you in as admin if you’re in the list. Voila, one shibbed Sakai!
The next steps are to remove dependence on request headers and code up a UserDirectoryProvider and GroupProvider to work with the Pod of SAML attributes that are injected into the user’s Sakai session.
Once the providers are done that will remove the restriction on logging in as admin and you’ll be able to login as yourself and use tools in Sakai that you have permissions for, based on your SAML attributes.