Shibboleth / SAML / SSO -- Working Implementation for Higher Ed

Our campus, like many others around the US, is part of the InCommon federation, and shares a federated SAML authentication pool. So, while IT services had straightforward documentation for how to plug Shibboleth into Apache2 to protect a “regular” website, it was very unclear how to connect that with Discourse.

After banging our heads against it for awhile, the clear (and now obvious) solution was to create a separate SSO endpoint that is Shibboleth-protected, and point Discourse to that using the built-in SSO provider.

Instructions for SSO are here.

A few details:

  • The SSO endpoint we created is a single page of PHP, in a directory that requires Shibboleth authentication. Since our Discourse app is to be available to the entire university, any scoping is done at our IdP provider and not on our end.
  • It parses the payload and signature in the query string to verify, unpack, and get the nonce.
  • Then gets a few bits about the user via $_SERVER['value'] values (uid, eppn, sn, givenname) to create the new payload.
  • It then reassembles a new payload, with nonce, encodes it and generates a new hash, then HTTP GETs the user back to the right endpoint on our Discourse site.
  • The only hangup was that I was generating the HMAC-SHA256 signature on the urlencoded payload and not the base64 payload. Once I saw that mistake and signed the latter, it worked perfectly.

You could do this in PHP, Python, Ruby, anything that can run simply in a web environment that Shibboleth plays nicely with.

The Discourse team did a good job on this feature – I like that you can pass basic bits of user data to the SSO and a new account is stubbed out without any fuss.