This 2-hour session determined what development is necessary to fully integrate shibboleth within uPortal.

Integration areas

1. Authentication to the portal

2. Getting a user's groups and attributes

3. User proxying

Authentication to the portal

This is just a configuration exercise. Basically, use mod_shib in Apache to protect the portal's location, and within uPortal, grab the username from the servlet API (REMOTE_USER).

Getting a user's groups and attributes

User proxying

A high-level sequence diagram gives the general approach to doing the 4-tiers to proxy through the portal, a portlet, to external service. Essential underpinnings of this approach are

A visio of the above is available, in case you'd like to play!

Next steps

Scott Cantor ( will draft initial specs for IdP enhancements needed to (1) support ECP and (2) add support for expressing policy that constrains delegation of proxy tokens.

Scott Cantor ( will draft initial specs for the overall flow (of which the above is an inaccurate but indicative form).

~battags will review the above draft spec to ascertain degree of harmony with the existing CAS proxy flows.

Scott Cantor ( will enhance the shibboleth SP to provide suitable logging of and policy control over acceptance of proxy tokens. will draft initial specs for the work needed to complete the servlet filter mentioned above, as well as recommendations for using the PersonDirectory and PAGS for storing SAML attributes and mapping the user to uPortal groups.

~awp9 will review the various draft specs to ensure that together they produce a viable solution.

unknown will develop specs for a library (or whatever) to enable portlets to implement the ECP profile.

Tom Barton ( will identify or provide a space in which to continue collaborative work on this topic, and will coordinate with appropriate Internet2, Unicon, U Chicago, and other people to keep this effort on track.

Tom Barton ( will ensure that a portion of Unicon's engagement with U Chicago's uPortal deployment is assigned to this development activity.

Tom Barton ( will ensure that JISC is brought in to learn of any interest they may have in this effort.