Shibboleth
I've been working on setting up Shibboleth for web authentication. Mostly so people we don't trust can authenticate our users against our stuff.
There are a zillion overviews out there, so this just contains stuff I didn't see everywhere else:
- Shibboleth is a web server module. The IDP is java, so it runs on tomcat. The client is, as far as I know, a C++ library that runs on your client apache server, but I don't think it's a real apache module. The point here is, you have to have server garbage to make either end work, you can't just include a lib_SAML.blah for your language of choice and be off to the races.
- Shibboleth handles the SAML conversation, not the actual authentication. The authentication is handled by Apache or Tomcat depending on how you set it up. Basically, anything that can access the url handled by shibboleth is considered authenticated, so make sure your Apache set up authenticates correctly (this isn't really true, but it's basically true... shibboleth needs a mod_auth_something to tell it the submitted username.
- testshib rocks! Start using it before you do anything else. Before you unpack the shibboleth source, get as far as you can with testshib. Seriously.