Medium Demo
 |
To be better able to understand this demo, we strongly recommend you to read
the easy demo first. This page demonstrates and explains the Shibboleth login procedure in more detail and more technically than the easy demo. Should you prefer to get even more information on this topic, read the expert demo. |
Overview
Figure 1: Situation overview
The demo scenario is the same as described in the easy demo. A user wants to access a Shibboleth-enabled resource and has to be authenticated first. For this demo, the following hosts are involved (as you will see from the URLs):
- Resource is on 'kohala.switch.ch/secure/'
- WAYF service is on 'wayf-test.switch.ch'
- Home organization login is on 'dukono.switch.ch'
Phase 1 - User connects to Resource and is redirected
|
To start the medium demonstration, try accessing the demo resource |
When you clicked on the 'demo resource' link the following two things could have happened.
-
You were granted access to the resource directly:
Since you already had a valid Shibboleth session, you were granted access directly. This can be the case if you previously were authenticated. - You were redirected to the WAYF server:
When you tried to access the demo resource, the web server on that host detected that you don't have set up a Shibboleth session. Therefore, you were redirected to the SWITCH WAYF server.
Figure 2: Redirect to WAYF server
The following steps explain what actually happened in this phase.
- Step 1:
- When you clicked on the 'demo resource' link, your web browser sent a HTTP request to 'kohala.switch.ch' for the webpage '/secure/'
- Step 2:
- The web server answered with a HTTP Redirect to the WAYF server located at 'wayf-test.switch.ch' because you are not yet Shibboleth authenticated
- Step 3:
- The WAYF server sent your web browser a HTML webpage with the pop-up list with all Home Organizations available
Phase 2 - Home Organization Selection
Assuming that you hadn't already set up a Shibboleth session and were redirected to the WAYF server, your web browser should display a page like in Fig. 3.
Figure 3: WAYF webpage
|
Select 'AAI Test Home Organization' as Home Organization for this demo and hit the 'Select' button. |
Phase 3 - User Authentication at Corresponding Home Organization
You should have been redirected to the login page of the AAI Test Home Organization.
Figure 4: User is redirected to login page of his Home Organization
When you hit the 'Select' button the following happened.
- Step 4:
- Your web browser sent the form data to the WAYF server kohala.switch.ch for the webpage '/secure/' . The data sent is basically the selection you made for the Home Organization.
- Step 5:
- The WAYF server sent your web browser a HTTP Redirect that made your web browser send a HTTP Request for the login page of your Home Organization.
- Step 6:
- Provided you selected the 'Test Home Organization' as your Home Organization, the web server 'dukono.switch.ch' answers with the HTML login webpage.
Your web browser now should display something like in Fig. 5.
Figure 5: User authenticates himself at his Home Organization
|
Use the credentials 'demouser' for user ID and 'demo' for password. Then click on 'Log in'. |
If you selected another Home Organization than 'Test Home Organization @SWITCHaai' the login page looks different and is located on a server of the Home Organization you selected. In that case you have to provide the corresponding credentials for that Home Organization to successfully log in.
Besides the login name and password other forms of credentials could be used. E.g. one could use biometric authentication methods or a chip card to authenticate, provided the Home Organizations supports such advanced authentication methods.
Phase 4 - Access to Resource Granted
Figure 6: Access to resource
You don't see much action during this phase, since the main activity happens directly between the resource and the Home Organization. You might only briefly see the screen shown in Fig. 7.
Figure 7: Handle redirection dialog
After that, you should have been redirected back to the resource you initially requested ('https://kohala.switch.ch/secure/'). If you see a screen like in Fig. 8 , the login worked properly.
The test resource basically shows all the available information about the user who logged in.
The steps that happened to get to this page were.
- Step 7:
- When you clicked on 'Log in', your web browser submitted your user ID and password (your 'Credentials') to the web server of your Home Organization ('dukono.switch.ch')
- Step 8:
- The web server checks the validity of user ID and password provided. An HTTP Redirect (see Fig. 6) is sent to your web browser that forwards you to the resource you initially requested. Together with this redirect your web browser receives a handle (some opaque data). The web browser forwards this handle to the web server of the resource.
- Step 9:
- When the web server of the resource receives a handle from a user, it directly sends an attribute request to the Home Organization of the user by sending the handle it just received.
- Step 10:
- At the Home Organization, the handle received from the resource gets checked. To be valid, it must be presented by the resource it was issued for in step 8 and in time, i.e. before its timeout is reached. If valid, the requested user attributes for the user referred to by the handle are transmitted to the resource
Figure 8: Successful login and access to test resource
Summary - Shibboleth Login Procedure
Figure 9: The whole login procedure
Fig. 9 shows all steps that happened during the login procedure. As you
may have noticed, your web browser was redirected several times because you
authenticated not at the resource, but at your Home Organization. Steps 9
and 10 took place in the background by bilateral connection between the
resource and the Home Organization.
All connections are secured by SSL. All Home Organizations and their resources have agreed to the AAI Service Agreement, which guarantees confidential use of user data according to the Swiss data protection law.
Expert Demo
|
Read the expert demo for even more detailed information. |