-
Notifications
You must be signed in to change notification settings - Fork 3
Idp_discovery
When you are accessing a protected resource a session must be started. What happens (when accessing a protected resource) is configured in shibboleth2.xml under SessionInitiator or SSO element in newer versions
<SSO discoveryProtocol="SAMLDS" discoveryURL=".../discovery.html" relayState="cookie">
SAML2 SAML1
</SSO>
. In our case you are shown a page that lets you select an IDP. This page can be provided by various entities (eg. eduid.cz, clarin.eu, dfn...), but in order to list all IDPs that are allowed in our configuration, we have to provide our own.
One other parameter that is passed around (except for the selected IDP) is the url of the protected resource. That's where you want to return to with started session.
The idp discovery page is done once again using Discojuice and you can find all the necessary stuff under /var/www/idpdiscovery. The most important part is discovery.html. It loads and fires the necessary scripts. The configuration is almost the same as when setting the popup. After you've created discojuice configuration object (djc), you just set it to be always visible (no wait for clicks) with djc.always. It also seems you have to set up acl for the return parameter. So only those who want to return to (see above) resources with hostname ufal-point.mff.cuni.cz or ufal-point-dev.ms.mff.cuni.cz will be allowed to do so.
A working example of discovery.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Select Your Login Provider</title>
<link rel="shortcut icon" href="http://discojuice.bridge.uninett.no/simplesaml/module.php/discojuice/favicon.png" />
<!-- JQuery hosted by Google -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js" type="text/javascript"></script>
<script type="text/javascript" src="./discojuice-2.1.en.min.js"></script>
<script type="text/javascript" src="./idpdiscovery-2.1.min.js"></script>
<link rel="stylesheet" type="text/css" href="./discojuice.css" />
<style type="text/css">
body {
text-align: center;
}
div.discojuice {
text-align: left;
position: relative;
width: 600px;
margin-right: auto;
margin-left: auto;
}
</style>
<script type="text/javascript">
$("document").ready(function() {
var title = "LINDAT - Clarin";
var spentityid = "";//urlParams.entityID;
var responseUrl = './discojuiceDiscoveryResponse.html';
var feeds = [];
var returnTo = "";
var djc = DiscoJuice.Hosted.getConfig(title,spentityid,responseUrl,feeds);
var host = "https://" + window.location.hostname;
var metadataFeed = host + "/xmlui/discojuice/feeds";
djc.metadata = [metadataFeed];
djc.inlinemetadata = [
{
"country":"_all_",
"entityID":"https://idp.clarin.eu",
"geo":{"lat":51.833298,"lon":5.866699},
"title":"Clarin.eu website account",
"weight":1000
},
{
'country':'CZ',
'entityID':'https://cas.cuni.cz/idp/shibboleth',
'geo':{'lat':'50.0705102','lon':'14.4198844'},
'title':'Univerzita Karlova v Praze',
'weight':-1000
},
];
djc.always = true;
djc.callback = IdPDiscovery.setup(djc, ['ufal-point-dev.ms.mff.cuni.cz', 'ufal-point.mff.cuni.cz']);
$("body").DiscoJuice(djc);
});
</script>
</head>
<body style="background: #ccc">
</body>
</html>