|
ARCHER Security ProviderIntroductionSome research into using Shibboleth from the desktop, and retrieving certificates from web servers, was done as part of the ARCHER project. This research did not form part of the final deliverables but is made available here as a starting point for further research. Documentation and Source CodeInformation regarding various components of the Archer Cert Provider can be found in the links below:
DemonstrationsSP AccessPurpose: Accessing an SP target using Desktop Shibboleth 1. Download the demo and extract it to some folder. IDP Attributes QueryQuery Shibboleth attributes from an IDP. Debug an IDP's Attribute Release settings. 1. Download the demo and extract it to some folder as in the previous one. ARCHER Certificate ClientPurpose: Download a proxy certificate from the Archer Cert Provider. 1. Download the demo and extract it to some folder as in the previous one. ARCHER CA ClientPurpose: Generate an encrypted private key and get a X509 certificate (not a proxy one) from Archer CA. These key and certificate can be used to generate proxy certificates for the client. 1. Download the demo and extract it to some folder as in the previous one. ARCHER Certificate Provider - Web InterfacePurpose: Get a proxy certificate from the Archer Cert Provider using normal Web interface.
ARCHER Certificate Provider - Post back interfacePurpose: Test the postback interface for the ArcherCertProvider.
Usage notesDesktop ShibbolethDesktop shibboleth is a component which allows a desktop application to use Shibboleth for single sign-on. To simulate a Shibboleth client, you can use the SPAccessClient class: SPAccessConfig config = new SPAccessConfig("https://treach.infodiv.unimelb.edu.au/secure"); To get back a Shib token, you can use the IDPClient class: IdpAuthenConfig idpConfig = new IdpAuthenConfig(); Note that in the above example, you have to supply the details of the IDP that you wish to connect to and ALSO the details of a valid SP. You can find this metadata information of many IDP and SP published on http://www.federation.org.au To simulate the behaviour of an SP when making attribute requests to an IDP: String idpAA = "https://openidp2.federation.org.au:8443/shibboleth-idp/AA"; It is interesting to note that most of IDP(s) in both level 1 and 2 (in the AAF) do not have a very good AA protection, so it is a very high chance that with the above piece of code you can grab all of available attributes from those IDP(s). Callback interfaceWith the callback interface, the certificate will be automatically posted back to a predefined URL <postback_url>. The address of the callback interface is http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/PostBackTest.jsp In order to postback, you need to specify the address of the<postback_url> in the "callback" parameter either with http GET or POST. For example with the GET method: http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/PostBackTest.jsp?callback=<postback_url>
An example of the <postback_url> is PostBackTest.jsp, this interface will display the content of the Archer generated credential, so you can give it a try by typing the following into a Web browser: http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/PostBackTest.jsp?callback=PostBackTest.jsp
|