• Sécurité & Identité
• Authentification
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Cas d’urgences informatiques
• Certificats

AAI Tools

This page contains some tools and services that are developed and offered by SWITCH.

AAI Portal

The AAI Portal is an open-source project (GPL license) that can be used for Shibboleth resources such as WebCT, which cannot (yet) be directly used with Shibboleth.
It was originally a project by the University of Bern, Institut für Angewandte Mathematik, as a part of a Swiss Virtual Campus project. Since beginning of 2004, SWITCH has maintained and further developed this tool. The AAI Portal is based on PHP/MySQL and acts as a broker between a deployed Authentication and Authorization Infrastructure (AAI) and several resources. E.g. it can act as a visible portal (interactive mode) as well as an invisible authentication gateway to WebCT (transparent mode). Furthermore, it supports several methods for user subscription to WebCT servers. These range from granting access to individual users up to granting access to a group of users by providing them with an "e-ticket".

More about the AAI Portal

uApprove

uApprove (BSD license) is a tool which gets the user's consent before releasing his/her attributes to a Shibboleth Service Provider. From the user's point of view he/she has to press an "OK" button in order to allow the transfer of the attributes. The user also has the option to release all attributes to all Service Providers, such that he/she will never be asked again. Experience shows that a large fraction of users prefer this option.
In addition, the Identity Provider administrator can also configure the uApprove such that the user has to accept the "Terms of Use" of the Identity Provider once before he/she can access any Service Providers.

More about uApprove

Group Management Tool

The Group Management Tool (GMT) is a web application developed (BSD license) by SWITCH to create and manage groups of Shibboleth users from many different Identity Providers. The group information can be used by other web applications to make access control decisions. This is on one hand accomplished by generating Apache .htaccess files to restrict access to web server directories based on the unique ID of a user. On the other hand, the group information can be queried by a remote hosts via a PHP or Perl interface.

More about the Group Management Tool

SWITCHaai JXPlorer Template

Download SWITCHaai SwissEdu Schema Template for JXplorer

RemoteUserFilter

If the users on the Identity Provider side are authenticated against Active Directory, Kerberos or some older CAS versions, it may be necessary to modify the login name that is read by Shibboleth from the REMOTE_USER environment variable. For example, the user may enter john.d@someschoool.com (Kerberos username@REALM.XY) or otherschool\jane.d (Windows domain\samaccountname) as login name. However, if the username in the user directory is stored without the realm or domain, Shibboleth cannot fetch the proper attributes for this user. Therefore, one has to cut off the realm or domain from the entered login name. This can be done by the RemoteUserFilter.
The filter (BSD license) is basically placed between CAS (or another authentication system) and the Shibboleth Identity Provider and overwrites the getRemoteUser() function of a servlet request in order to modify the login name.

Download the RemoteUserFilter

Resource Registry

The Resource Registry (BSD license) is a central repository containing data about the identity providers (IdP) and service providers (SP) available within SWITCHaai. It collects general information about IdPs and SPs, such as the organization it belongs to and contact information. Additional data, e.g. description and purpose, is gathered for SPs. For data protection reasons, the owners of SPs have to declare the minimal set of attributes their SP requires. The Resource Registry implements a process for gathering and approving such declarations. The data is then used to generate the metadata files and attribute release policy (ARP) files used throughout the federation. ARP files are most important to comply with data protection and privacy requirements. While all those files could also be managed locally (by each server administrator in the federation), the Resource Registry greatly simplifies that process and improves reliability.

More about the Resource Registry

Shibboleth Log Viewer

Many things can go wrong when setting up a Shibboleth Identity Provider or Service Provider. In order to make the log entries of IdPs and SPs available to other Shibboleth administrators for debugging purposes, SWITCH has developed the "Shibboleth Log Viewer" (BSD license). This set of scripts (CGI PERL script and Javascript AJAX) can read and parse the Shibboleth log file. It's almost like the UNIX 'tail' command but the script also does syntax highlighting and auto-indenting of SAML messages. If you want to see it in action (best use Firefox), open the SP Log or IDP Log and access in a second web browser window a Shibboleth 2 Resource (use demouser/demo as login name/password)

Download the Shibboleth 1.x Log Viewer Download the Shibboleth 2.x Beta Log Viewer

Update ARP Script

UpdateARP is a PERL script (BSD license) that can be used to automatically update the Attribute Release Policy (ARP) file for an identity provider. The script can either download an ARP file via HTTPS from a site like the Resource Registry or use a local file. The ARP file then is checked and some specified rules are applied. These rules can add or remove attributes for any identity provider or the ARP default rule.
Finally the old and new ARP files are compared and the differences can be sent to one or more administrators in an easily readable format.

UpdateARP installation guide

Virtual Home Organization Service

In some cases there are users that don't have an AAI account but need access to an AAI-enabled resource. In that case the Virtual Home Organization (VHO) Service may be used. The VHO lets administrators create and maintain AAI accounts via a web interface (BSD license). The attributes of VHO users mark them as special and in general they just have access to a particular resource.

More about the VHO Service

WAYF Service

To guide the users from a service provider to her/his identity provider, SWITCHaai provides an official "Where Are You From" (WAYF) service. See it in action Attribute Viewer.
The implementation developed by SWITCH (BSD license) has several additional features compared to the official Shibboleth WAYF from Internet2. It's a lightweight PHP implementation that supports multiple languages, several ways of preselecting an identity provider and a featre called Embedded WAYF that allows easy integration directly into a web resource.

More about the SWITCHaai WAYF

X.509 login handler

Strong authentication with X.509 user certificates for Shibboleth IdP 2. SWITCH has contributed the "X.509 login handler" to the Shibboleth project.

Find the documentation on the Shib2 Wiki: https://spaces.internet2.edu/display/SHIB2/X.509+Login+Handler

The source code is in the shib-extensions part of the Internet2 SVN repository.