Athens DA Protocol: Difference between revisions
No edit summary |
No edit summary |
||
(39 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{shib-project}} | {{shib-project}} | ||
When using the gateway, you are in effect using [http://www.athensams.net/local_auth/athensda AthensDA], except that the eXtensible Authentication Point (XAP) (see [http://www.athensams.net/upload/athens/pdf/da_integration_guide.pdf AthensDA integration guide]) is run by Athens and delegates to the local site's Shibboleth IdP to identify users. Because of this, there is quite a lot of useful information to be found in the JISCMail [http://www.jiscmail.ac.uk/lists/athensda.html AthensDA list] as well as the [http://www.jiscmail.ac.uk/lists/JISC-SHIBBOLETH.html JISC-Shibboleth list] | |||
Details of the protocol between Athens and the XAP are available in the [http://www.athensams.net/upload/athens/pdf/da_integration_guide.pdf AthensDA integration guide]. Details of the protocol between Athens and the DSPs are largely available in [http://www.athensams.net/upload/athens/pdf/dspintegrationguide.pdf DSP integration guide] though there are additional resources that are only available to DSPs. | |||
The protocol apparently transfers at least | ==How it works== | ||
When using the gateway you end up with a chain of 4 things, each (except the last) deferring identifying who you are to the next one: | |||
Resource1 --> Athens --> Raven/Shibboleth --> Raven --- | |||
| | |||
Resource1 <-- Athens <-- Raven/Shibboleth <-- Raven <-- | |||
Each one remembers who you are if it's already seen you during the current browser session. For example you can keep on accessing the resource without further reference to Athens: | |||
Resource1 --- | |||
| | |||
Resource1 <-- | |||
and you can access a new Athens resource without further reference to Raven/Shibboleth | |||
Resource2 --> Athens --- | |||
| | |||
Resource2 <-- Athens <-- | |||
==Information provided to content providers== | |||
The protocol apparently transfers at least the following to the content provider: | |||
* a user name. When using the gateway, the user name is a 20-character random string starting '_'; apparently there is no guarantee that these will always be the same for the same user, but at present they are. | |||
* a persistent unique ID. When using the gateway, this is based on the eduPersonTargetedID provided by Shib, though it's not the same | |||
* an Organisation_Id, identifying the user's home organization | |||
Other data is also available, see the [http://www.athensams.net/upload/athens/pdf/dspintegrationguide.pdf DSP integration guide]. | |||
==URLs== | |||
Various 'interesting' URLs can be identified by watching the http interaction or by reading submissions to the mailing lists, but only a few are actually documented for use: | |||
The [http://www.athensams.net/upload/athens/pdf/da_integration_guide.pdf AthensDA integration guide] (section 3.4.4) documents the 'setorg' URL which can be used to set the ath_ldom cookie identifying the user's home institution. Note that <returl> can be anything, including other Athens URLs | |||
http://auth.athensams.net/setorg.php?id=<providerid>&ath_returl=<returl> | |||
** <providerid> your providerid | |||
** <returl> URL to return to once the cookie is set | |||
The [http://www.athensams.net/upload/athens/pdf/local_auth_integration_standards.pdf Local Authentication Integration Standards] document includes a logout url to terminate Athens authentication: | |||
https://auth.athensams.net/?ath_action=ssologout&ath_returl=<returl> | |||
** <returl> is optional and provides a URL to refer the user to once logout is complete. | |||
RSS feed of available resources: https://auth.athensams.net/my/resources/rss (but only available once authenticated?) | |||
Target Resource Locators (TRLs) are provided for creating persistent URLs to resources that will trigger authentication: | |||
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> | |||
To: ATHENSDA@JISCMAIL.AC.UK | |||
Date: Tue, 14 Feb 2006 17:20:10 -0000 | |||
... | |||
The new service URL format is called a target resource locator (TRL), | |||
which uses a combination of: | |||
* the URL of the Athens authentication point (AP) | |||
* a TRL identifier | |||
* a resource identifier | |||
The basic format of a TRL is therefore: | |||
https://auth.athensams.net/trl/1.0/-/RESOURCE_ID | |||
It appears that adding ?ath_action=noHddsSession will bypass the HDD service and so allow someone logged in via the gateway to access a particular service using their Classic Athens account: | |||
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> | |||
To: JISC-SHIBBOLETH@JISCMAIL.AC.UK | |||
Date: Tue, 14 Feb 2006 17:20:08 -0000 | |||
Subject: Access to services not compliant with Shibboleth - Athens gateway | |||
As some of you know, Eduserv have been working on a method of allowing | |||
users at Shibboleth IdPs to use Athens-protected services that do not | |||
meet Athens implementation standards... | |||
The fix developed by Eduserv allows a user from a Shibboleth IdP to log | |||
into non-gateway compliant services with a classic Athens account. It | |||
uses a URL format called a target resource locator (TRL), which uses a | |||
combination of: | |||
* the URL of the Athens authentication point (AP) | |||
* a TRL identifier | |||
* a resource identifier | |||
* an extra parameter to pass at the Athens AP: ath_action=noHddsSession | |||
The basic format of a TRL is therefore: | |||
https://auth.athensams.net/trl/1.0/-/RESOURCE_ID?ath_action=noHddsSession | |||
A list of TRLs for non-gateway compliant services is below [...] | |||
Dialog DataStar | |||
https://auth.athensams.net/trl/1.0/-/DIALOG_DATASTAR?ath_action=noHddSession | |||
International Who's Who | |||
https://auth.athensams.net/trl/1.0/-/WORLD_WHO_WHO?ath_action=noHddSession | |||
JISC PDS | |||
https://auth.athensams.net/trl/1.0/-/PDS?ath_action=noHddSession | |||
LexisNexis Professional and Executive | |||
https://auth.athensams.net/trl/1.0/-/Lexis?ath_action=noHddSession | |||
Oxford Scholarship Online | |||
https://auth.athensams.net/trl/1.0/-/OUP_OSO?ath_action=noHddSession | |||
ProQuest | |||
https://auth.athensams.net/trl/1.0/-/PROQUEST?ath_action=noHddSession | |||
==Cookies== | ==Cookies== | ||
* ath_ldom, domain .athensams.net, expires | * ath_ldom, domain .athensams.net, expires +5 yeasrs: contains hom providerID, used by the Home Domain Discovery service to automatically refer authentication to the gateway. | ||
* ath_da, domain .athensams.net, session: set following authentication, purpose unknown, contains '2' | |||
* ath_username, domain .athensams.net, session: set following authentication, contains Athens usrname, used to support SSO | |||
* ath_ltoken, domain .athensams.net, session: contains the L token which supports SSO | |||
* __utma, __utmb, __utmc, __utmz: Google analyticics | |||
==Authentication sequences== | |||
===Clean start=== | |||
Starting with no relevant cookies, choosing 'Athens login' takes you to | |||
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl> | |||
* <dspid> is the service providerid - e.g. EDINA.FILMSOUND | |||
* <returl> is the URL to access once authentication is complete | |||
This results in a redirect to the same URL over https, which displays the [[Media:Athens-login.png | Athens user id/password box]] (possibly customised for the site). Selecting 'Alternate login from there takes you to | |||
https://auth.athensams.net/orglist.php?ath_returl=<returl>&ath_dspid=<dspid> | |||
which displays the [[Media:Athens-alternate-login.png | standard Athens HDDS organisation chooser]]. Selecting a particular organisation takes you to | |||
https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid> | |||
* <providerid> is the selected identity provider's id | |||
This displays a [[Media:Athens-setsite-confirm.png | message confirming the institution]] and asking if you want to remember it (in the ath_ldom cookie) for the future. Clicking 'GO>>' (assuming you leave the remember box checked) takes you to | |||
https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++ | |||
which redirects to | |||
https://auth.athensams.net/?ath_action=setldom&id=<providerid>&ath_dspid=<dspid>&ath_returl=<returl> | |||
which sets the ath_ldom cookie and redirects to | |||
https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>&id=<prviderid>&ath_action=shaauth | |||
Which redirects to the organisation's Shibboleth SSO handler. The ''target'' authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort, perhaps the AthensDA DA_sso_req packet. | |||
The organisation completes a Shibboleth authentication and posts the result to | |||
https://auth.athensams.net/saml/PostRcv | |||
The post contains a copy of the <target> from the request and the a SAML authentication response. This sets session cookies ath_da=2, ath_username=<id>, and ath_ltoken=<ltoken>. | |||
* <id> is an Athens userid. When using the gateway this is a randomly allocated string starting '_', e.g. _wplsf6omk2rfw7lfveb | |||
* <ltoken> is the AthensDA 'L' token, used to maintain SSO session, e.g. %3CRlMlVeMTj8BvvBMx3w%3E | |||
A zero-delay META-refresh then causes the browser to retrieve: | |||
<returl>&ath_user=<id>&ath_ttok=<ttoken> | |||
* <ttoken> is the AThensDA 'T' token, used to transfer the user's identity to the DSP, e.g. %3CRlK1EaMyq%2FIMcMjuAA%3E | |||
which redirects to the real service URL. | |||
===Another site, while still logged-in=== | |||
Choosing 'Athens login' goes to | |||
http://auth.athensams.net/?ath_returl=<returk>&ath_dspid=<dspid> | |||
which redirects to the same URL over https, which uses a zero-delay META-refresh to causes the browser to request | |||
<returl>?ath_user=<id>&ath_ttok=<tok> | |||
which redirects to the real service URL. | |||
===Any site, having quit and restart the browser=== | |||
Choosing 'Athens login' goes to | |||
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl> | |||
which redirects to the same URL over https: which displays the [[Media:Athens-login-continue.png | Continue to login page]]. Selecting the main link takes you to | |||
https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>id=<providerid>&ath_action=shaauth | |||
Which redirects to the organisation's Shibboleth SSO handler. The ''target'' authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort, perhaps the AthensDA DA_sso_req packet. | |||
The organisation completes a Shibboleth authentication and posts the result to | |||
https://auth.athensams.net/saml/PostRcv | |||
The post contains a copy of the <target> from the request and the a SAML authentication response. This sets session cookies ath_da=2, ath_username=<id>, and ath_ltoken=<ltoken>. | |||
* <id> is an Athens userid. When using the gateway this is a randomly allocated string starting '_', e.g. _wplsf6omk2rfw7lfveb | |||
* <ltoken> is the AthensDA 'L' token, used to maintain SSO session, e.g. %3CRlMlVeMTj8BvvBMx3w%3E | |||
A zero-delay META-refresh then causes the browser to retrieve: | |||
<returl>&ath_user=<id>&ath_ttok=<ttoken> | |||
* <ttoken> is the AThensDA 'T' token, used to transfer the user's identity to the DSP, e.g. %3CRlK1EaMyq%2FIMcMjuAA%3E | |||
which redirects to the real service URL. | |||
===Classic Athens (for comparison)=== | |||
Choosing 'Athens login' takes you to | |||
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl> | |||
This redirects to the same URL over https:, which displays the Athens username/password page. Entering a username/password and clicking login posts ath_uname and ath_passwd to | |||
https://auth.athensams.net/?ath_returl=<returl>&ath_dspid=<dspid> | |||
This sets session cookies ath_da=2, ath_username=<id>, and ath_ltoken=<ltoken>. | |||
* <id> is an Athens userid. When using the gateway this is a randomly allocated string starting '_', e.g. _wplsf6omk2rfw7lfveb | |||
* <ltoken> is the AthensDA 'L' token, used to maintain SSO session, e.g. %3CRlMlVeMTj8BvvBMx3w%3E | |||
A zero-delay META-refresh then causes the browser to retrieve: | |||
<returl>&ath_user=<id>&ath_ttok=<ttoken> | |||
* <ttoken> is the AThensDA 'T' token, used to transfer the user's identity to the DSP, e.g. %3CRlK1EaMyq%2FIMcMjuAA%3E | |||
which redirects to the real service URL. | |||
==Captured URLs== | |||
Real URLs captured during various interactions: | |||
===Default start=== | |||
1. Starting with no cookies, login to Film & Sound @ http://www.filmandsound.ac.uk/. Choose 'Athens login' | |||
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=42&y=14 | |||
2. redirect to | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=42&y=14 | |||
3. Displays Athens username & password box. Select 'Alternative Login' | |||
https://auth.athensams.net/orglist.php?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND | |||
4. Displays Athens HDDS chooser. Select 'Cardiff University' ('cos Cambridge not yet live) | |||
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&oid=218 | |||
5. Displays 'Go to Cardiff University' page with 'Save on this computer. Click 'OK' | |||
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&oid=218 | |||
6. redirect to | |||
https://auth.athensams.net/?ath_action=setldom&id=https://idp.cardiff.ac.uk/shibboleth&ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D | |||
7. Sets auth_ldom cookie, redirects to | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&ath_action=shaauth | |||
8. redirect to | |||
https://idp.cardiff.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=WlpjSDFUcHp5dDREMGZpQk34kltZLjGuSYUxm7fxxIlcNti8frex3VK3vKyylGgyyzGL6W5YzeAZmDt%2FVe6kyMQ36IzB5W3y%2FHNJTjDozxiJT5%2BI7MAwj0qTeGq4J3do8atjki5vpU%2B%2ByRN2WzeNYfzqmBRWH%2FTX96c1T8c9H5yEvu4W72Eq%2FcmseFd%2F%2FOQrGdJLay5qNu0dTh6tmK8Gu5WsrX9jCh8HZVxttqtt5aVQZdwLLW8Oz4RB19PVBz0M3tmfT58Kl2ffxqZEMJtIjXA2anf2XBpk80JmnrQJWNc%3D&time=1179728690&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk | |||
9. Displays Cardiff's local authentication page | |||
===The same, as if from Cambridge=== | |||
1. Fake the result of 4) above but choosing 'Cambridge' from the HDDS chooser by entering | |||
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk | |||
2. Displays 'Go to the Cambridge University login' page. Leave 'Remember this Org' checked. Click 'Go>>' | |||
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++ | |||
3. Redirects to | |||
https://auth.athensams.net/?ath_action=setldom&id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D | |||
4. Sets auth_ldom cookie, redirects to | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&ath_action=shaauth | |||
5. Redirects to | |||
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=ZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%2BkWkz2MtytmCl%2B0sgd12a3uByyf82zWgUB%2BcZe%2FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%2B80kq%2FuAcNARhOzkC8vyboZr6JEpHCm%2FfPZTvKgfZkXtMQ2YS4J%2FtwpOng%2Fo%2BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%2FPjxKKtsy9%2BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%3D&time=1179730412&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk | |||
6. Redirects to | |||
https://raven.cam.ac.uk/auth/authenticate.html?ver=1&url=https%3a%2f%2fshib.raven.cam.ac.uk%2fshibboleth-idp%2fSSO%3fshire%3dhttps%253A%252F%252Fauth.athensams.net%252Fsaml%252FPostRcv%26target%3dZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%252BkWkz2MtytmCl%252B0sgd12a3uByyf82zWgUB%252BcZe%252FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%252B80kq%252FuAcNARhOzkC8vyboZr6JEpHCm%252FfPZTvKgfZkXtMQ2YS4J%252FtwpOng%252Fo%252BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%252FPjxKKtsy9%252BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%253D%26time%3d1179730412%26providerId%3durn%253Amace%253Aeduserv.org.uk%253Aathens%253Afederation%253Auk&date=20070521T065333Z&desc=the%20University%20pilot%20Shibboleth%20service | |||
7. Displays 'Raven confirmation'. Click Continue | |||
https://raven.cam.ac.uk/auth/authenticate4.html | |||
8. Redirects to | |||
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?WLS-Response=1!200!!20070521T065751Z!1179730417-25013-8!https%3A%2F%2Fshib.raven.cam.ac.uk%2Fshibboleth-idp%2FSSO%3Fshire%3Dhttps%25253A%25252F%25252Fauth.athensams.net%25252Fsaml%25252FPostRcv%26target%3DZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%25252BkWkz2MtytmCl%25252B0sgd12a3uByyf82zWgUB%25252BcZe%25252FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%25252B80kq%25252FuAcNARhOzkC8vyboZr6JEpHCm%25252FfPZTvKgfZkXtMQ2YS4J%25252FtwpOng%25252Fo%25252BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%25252FPjxKKtsy9%25252BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%25253D%26time%3D1179730412%26providerId%3Durn%25253Amace%25253Aeduserv.org.uk%25253Aathens%25253Afederation%25253Auk!jw35!!pwd!33534!!2!IESCcka6W7SOI3Hp3X2.eoZP8CU32oUjgt0Y0PkfsSbY4RstzNmKBrEdF5UjYuC5JIcsZvA.W20mTmaVnsjq7qFi14rMD6wHPl1JCIO9EN3lZWkPKzTWDUwS8Ekrt.g60KPyJwnGEwJw7RFoMwKE8JQAS5HDyTZy6BNkhs5qnM4_ | |||
9. Sets Ucam-WebAuth-Session-S cookie, redirects to | |||
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=ZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%2BkWkz2MtytmCl%2B0sgd12a3uByyf82zWgUB%2BcZe%2FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%2B80kq%2FuAcNARhOzkC8vyboZr6JEpHCm%2FfPZTvKgfZkXtMQ2YS4J%2FtwpOng%2Fo%2BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%2FPjxKKtsy9%2BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%3D&time=1179730412&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk | |||
10. Sets JSESSIONID and shib_sp_<tandom hex> cookies. Displays 'Auth comlete, please wait' page. Posts to | |||
https://auth.athensams.net/saml/PostRcv | |||
11. Sets ath_da=2, ath_username=_<random hex>, ath_ltoken=<random hex>. Requests (via a no-delay META-refresh) | |||
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFDOKP4WcWDnunpfQ%3E | |||
12. Redirects to | |||
http://service.filmandsound.ac.uk/WebZ/html/tan.html?sessionid=01-44028-1376784429&active=3 | |||
13. Displays Film and Sound's terms of use | |||
===Repeat, already authenticated=== | |||
1. Try Film & Sound @ http://www.filmandsound.ac.uk/ again with all Athens cookies in place. Choose 'Athens login' | |||
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=31&y=13 | |||
2. Redirects to | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=31&y=13 | |||
3. Via a zero-delay METTA-refresh, equests | |||
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFHJqOzQzRuLRnNWw%3E | |||
4. Redirects to | |||
http://service.filmandsound.ac.uk/WebZ/html/tan.html?sessionid=01-44028-1817385508&active=3 | |||
5. Displays Film and Sound's terms of use | |||
===Repeat in new browser session=== | |||
1. Try Film & Sound @ http://www.filmandsound.ac.uk/ again with only persistent Athens cookies in place. Choose 'Athens login' | |||
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13 | |||
2. Redirects to | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13 | |||
3. Displays 'Continue to login' page. Select 'Cambridge University library' link | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&ath_action=shaauth | |||
4. Redirects to | |||
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk | |||
5. Redirects to | |||
https://raven.cam.ac.uk/auth/authenticate.html?ver=1&url=https%3a%2f%2fshib.raven.cam.ac.uk%2fshibboleth-idp%2fSSO%3fshire%3dhttps%253A%252F%252Fauth.athensams.net%252Fsaml%252FPostRcv%26target%3dYVdvdjFKQlFzUmVQVlExeQyQ5Sezpjz50d18RNO7SlWT0GWE%252BImfLfQxBYHDhtpVSAjPH1F8xGhzQg2LRwtwM4328%252Ft5aiHN23PcTYIHc98ZdwiftHXrN31DjkC3FdcVY%252Fvb6JZMG2p4Fd4lhbxPbWw450d2yMiy4IOhP9x%252FmJ5MwR8yTnRpCXbpXGrYiUG8oSXV4%252Bu9dk8Jz%252BgBkwuTq%252FQMUS%252BuqIR%252FNEgNpYuQISEIBMnRYzzXwHfWEzy00sdQ5vvXADWYq%252FXjG4VUirc%252B%252BQQd9zbQSracWmfHFa2Nw3I%253D%26time%3d1179756160%26providerId%3durn%253Amace%253Aeduserv.org.uk%253Aathens%253Afederation%253Auk&date=20070521T140240Z&desc=the%20University%20pilot%20Shibboleth%20service | |||
5. Displays 'Raven confirmation'. Click 'Continue' | |||
https://raven.cam.ac.uk/auth/authenticate4.html | |||
6. Redirects to | |||
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?WLS-Response=1!200!!20070521T072505Z!1179732172-25012-12!https%3A%2F%2Fshib.raven.cam.ac.uk%2Fshibboleth-idp%2FSSO%3Fshire%3Dhttps%25253A%25252F%25252Fauth.athensams.net%25252Fsaml%25252FPostRcv%26target%3DcFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%25252BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%25252FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%25252BjzT4Ge9f8wmnCywIFi%25252BWovXY1WTK431Dmf6hq9Xd4dyXh2b%25252Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%25252FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%25253D%26time%3D1179732171%26providerId%3Durn%25253Amace%25253Aeduserv.org.uk%25253Aathens%25253Afederation%25253Auk!jw35!!pwd!35802!!2!kllLpHThJRMfWGRzOa17SyUm1tZR5NAO90p0RrCT.1Eyi0jZk7mLWVO5EiRJkTnNIJEt.DuEA2p1hQrxeDl5Pk38om-3oWQjXP9iH21rm9xwLphfiqSZERwX1lBXmKCA1L2Mtc5UUvReUFLje-HTaMMQUc2c38Uivr8q.vksW5I_ | |||
7. Sets Ucam-WebAuth-Session-S cookie, redirects to | |||
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk | |||
8. Sets JSESSIONID and shib_sp_<random hex> cookies. Displays 'Auth complete, please wait' page, posts to | |||
https://auth.athensams.net/saml/PostRcv | |||
9. Sets ath_da, ath_username, ath_ltoken cookies. Uses a zero-delay META-refresh to request | |||
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFJmKPUztPFgr%2BvKA%3E | |||
10. Redirects to | |||
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFJmKPUztPFgr%2BvKA%3E | |||
11. Displays F&S's T&Cs. | |||
===Access different site=== | |||
1. African-American Poetry @ http://collections.chadwyck.co.uk/daap/htxview?template=basic.htx&content=frameset.htx. Select 'Athens users log in' | |||
http://collections.chadwyck.co.uk/athens/ | |||
2. Somehow(?) redirect to | |||
http://auth.athensams.net/?ath_returl=%22http%3A%2F%2Fcollections.chadwyck.co.uk%2FathensLogin%22&ath_dspid=CHADWYCK | |||
3. Redirect to | |||
https://auth.athensams.net/?ath_returl=%22http%3A%2F%2Fcollections.chadwyck.co.uk%2FathensLogin%22&ath_dspid=CHADWYCK | |||
4. Via a zero-delay METTA-refresh, redirect to | |||
http://collections.chadwyck.co.uk/athensLogin?ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFNfaOPC26cgSyPKw%3E | |||
5. Redirect to | |||
http://collections.chadwyck.co.uk/home/home_aap.jsp?template=basic.htx&content=frameset.htx | |||
6. Display front page | |||
===Classic Athens, from clean start=== | |||
1. Starting with no cookies, login to Film & Sound @ http://www.filmandsound.ac.uk/. Choose 'Athens login' | |||
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=25&y=4 | |||
2. Redirect to | |||
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=25&y=4 | |||
3. Displays Athens username/password page. Enter username/password, click login. Posts to the following with ath_uname and ath_passwd as POST parameters | |||
https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND | |||
4. Sets ath_username, ath_ltoken. Requests, via a zero-delay META-refresh | |||
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=camtsjw35&ath_ttok=%3CRlFhI6NBcCQXmBz75w%3E |
Latest revision as of 10:01, 22 May 2007
This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.
When using the gateway, you are in effect using AthensDA, except that the eXtensible Authentication Point (XAP) (see AthensDA integration guide) is run by Athens and delegates to the local site's Shibboleth IdP to identify users. Because of this, there is quite a lot of useful information to be found in the JISCMail AthensDA list as well as the JISC-Shibboleth list
Details of the protocol between Athens and the XAP are available in the AthensDA integration guide. Details of the protocol between Athens and the DSPs are largely available in DSP integration guide though there are additional resources that are only available to DSPs.
How it works
When using the gateway you end up with a chain of 4 things, each (except the last) deferring identifying who you are to the next one:
Resource1 --> Athens --> Raven/Shibboleth --> Raven --- | Resource1 <-- Athens <-- Raven/Shibboleth <-- Raven <--
Each one remembers who you are if it's already seen you during the current browser session. For example you can keep on accessing the resource without further reference to Athens:
Resource1 --- | Resource1 <--
and you can access a new Athens resource without further reference to Raven/Shibboleth
Resource2 --> Athens --- | Resource2 <-- Athens <--
Information provided to content providers
The protocol apparently transfers at least the following to the content provider:
- a user name. When using the gateway, the user name is a 20-character random string starting '_'; apparently there is no guarantee that these will always be the same for the same user, but at present they are.
- a persistent unique ID. When using the gateway, this is based on the eduPersonTargetedID provided by Shib, though it's not the same
- an Organisation_Id, identifying the user's home organization
Other data is also available, see the DSP integration guide.
URLs
Various 'interesting' URLs can be identified by watching the http interaction or by reading submissions to the mailing lists, but only a few are actually documented for use:
The AthensDA integration guide (section 3.4.4) documents the 'setorg' URL which can be used to set the ath_ldom cookie identifying the user's home institution. Note that <returl> can be anything, including other Athens URLs
http://auth.athensams.net/setorg.php?id=<providerid>&ath_returl=<returl>
- <providerid> your providerid
- <returl> URL to return to once the cookie is set
The Local Authentication Integration Standards document includes a logout url to terminate Athens authentication:
https://auth.athensams.net/?ath_action=ssologout&ath_returl=<returl>
- <returl> is optional and provides a URL to refer the user to once logout is complete.
RSS feed of available resources: https://auth.athensams.net/my/resources/rss (but only available once authenticated?)
Target Resource Locators (TRLs) are provided for creating persistent URLs to resources that will trigger authentication:
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> To: ATHENSDA@JISCMAIL.AC.UK Date: Tue, 14 Feb 2006 17:20:10 -0000 ... The new service URL format is called a target resource locator (TRL), which uses a combination of: * the URL of the Athens authentication point (AP) * a TRL identifier * a resource identifier The basic format of a TRL is therefore: https://auth.athensams.net/trl/1.0/-/RESOURCE_ID
It appears that adding ?ath_action=noHddsSession will bypass the HDD service and so allow someone logged in via the gateway to access a particular service using their Classic Athens account:
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> To: JISC-SHIBBOLETH@JISCMAIL.AC.UK Date: Tue, 14 Feb 2006 17:20:08 -0000 Subject: Access to services not compliant with Shibboleth - Athens gateway As some of you know, Eduserv have been working on a method of allowing users at Shibboleth IdPs to use Athens-protected services that do not meet Athens implementation standards... The fix developed by Eduserv allows a user from a Shibboleth IdP to log into non-gateway compliant services with a classic Athens account. It uses a URL format called a target resource locator (TRL), which uses a combination of: * the URL of the Athens authentication point (AP) * a TRL identifier * a resource identifier * an extra parameter to pass at the Athens AP: ath_action=noHddsSession The basic format of a TRL is therefore: https://auth.athensams.net/trl/1.0/-/RESOURCE_ID?ath_action=noHddsSession A list of TRLs for non-gateway compliant services is below [...] Dialog DataStar https://auth.athensams.net/trl/1.0/-/DIALOG_DATASTAR?ath_action=noHddSession International Who's Who https://auth.athensams.net/trl/1.0/-/WORLD_WHO_WHO?ath_action=noHddSession JISC PDS https://auth.athensams.net/trl/1.0/-/PDS?ath_action=noHddSession LexisNexis Professional and Executive https://auth.athensams.net/trl/1.0/-/Lexis?ath_action=noHddSession Oxford Scholarship Online https://auth.athensams.net/trl/1.0/-/OUP_OSO?ath_action=noHddSession ProQuest https://auth.athensams.net/trl/1.0/-/PROQUEST?ath_action=noHddSession
Cookies
- ath_ldom, domain .athensams.net, expires +5 yeasrs: contains hom providerID, used by the Home Domain Discovery service to automatically refer authentication to the gateway.
- ath_da, domain .athensams.net, session: set following authentication, purpose unknown, contains '2'
- ath_username, domain .athensams.net, session: set following authentication, contains Athens usrname, used to support SSO
- ath_ltoken, domain .athensams.net, session: contains the L token which supports SSO
- __utma, __utmb, __utmc, __utmz: Google analyticics
Authentication sequences
Clean start
Starting with no relevant cookies, choosing 'Athens login' takes you to
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
- <dspid> is the service providerid - e.g. EDINA.FILMSOUND
- <returl> is the URL to access once authentication is complete
This results in a redirect to the same URL over https, which displays the Athens user id/password box (possibly customised for the site). Selecting 'Alternate login from there takes you to
https://auth.athensams.net/orglist.php?ath_returl=<returl>&ath_dspid=<dspid>
which displays the standard Athens HDDS organisation chooser. Selecting a particular organisation takes you to
https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>
- <providerid> is the selected identity provider's id
This displays a message confirming the institution and asking if you want to remember it (in the ath_ldom cookie) for the future. Clicking 'GO>>' (assuming you leave the remember box checked) takes you to
https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++
which redirects to
https://auth.athensams.net/?ath_action=setldom&id=<providerid>&ath_dspid=<dspid>&ath_returl=<returl>
which sets the ath_ldom cookie and redirects to
https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>&id=<prviderid>&ath_action=shaauth
Which redirects to the organisation's Shibboleth SSO handler. The target authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort, perhaps the AthensDA DA_sso_req packet.
The organisation completes a Shibboleth authentication and posts the result to
https://auth.athensams.net/saml/PostRcv
The post contains a copy of the <target> from the request and the a SAML authentication response. This sets session cookies ath_da=2, ath_username=<id>, and ath_ltoken=<ltoken>.
- <id> is an Athens userid. When using the gateway this is a randomly allocated string starting '_', e.g. _wplsf6omk2rfw7lfveb
- <ltoken> is the AthensDA 'L' token, used to maintain SSO session, e.g. %3CRlMlVeMTj8BvvBMx3w%3E
A zero-delay META-refresh then causes the browser to retrieve:
<returl>&ath_user=<id>&ath_ttok=<ttoken>
- <ttoken> is the AThensDA 'T' token, used to transfer the user's identity to the DSP, e.g. %3CRlK1EaMyq%2FIMcMjuAA%3E
which redirects to the real service URL.
Another site, while still logged-in
Choosing 'Athens login' goes to
http://auth.athensams.net/?ath_returl=<returk>&ath_dspid=<dspid>
which redirects to the same URL over https, which uses a zero-delay META-refresh to causes the browser to request
<returl>?ath_user=<id>&ath_ttok=<tok>
which redirects to the real service URL.
Any site, having quit and restart the browser
Choosing 'Athens login' goes to
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
which redirects to the same URL over https: which displays the Continue to login page. Selecting the main link takes you to
https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>id=<providerid>&ath_action=shaauth
Which redirects to the organisation's Shibboleth SSO handler. The target authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort, perhaps the AthensDA DA_sso_req packet.
The organisation completes a Shibboleth authentication and posts the result to
https://auth.athensams.net/saml/PostRcv
The post contains a copy of the <target> from the request and the a SAML authentication response. This sets session cookies ath_da=2, ath_username=<id>, and ath_ltoken=<ltoken>.
- <id> is an Athens userid. When using the gateway this is a randomly allocated string starting '_', e.g. _wplsf6omk2rfw7lfveb
- <ltoken> is the AthensDA 'L' token, used to maintain SSO session, e.g. %3CRlMlVeMTj8BvvBMx3w%3E
A zero-delay META-refresh then causes the browser to retrieve:
<returl>&ath_user=<id>&ath_ttok=<ttoken>
- <ttoken> is the AThensDA 'T' token, used to transfer the user's identity to the DSP, e.g. %3CRlK1EaMyq%2FIMcMjuAA%3E
which redirects to the real service URL.
Classic Athens (for comparison)
Choosing 'Athens login' takes you to
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
This redirects to the same URL over https:, which displays the Athens username/password page. Entering a username/password and clicking login posts ath_uname and ath_passwd to
https://auth.athensams.net/?ath_returl=<returl>&ath_dspid=<dspid>
This sets session cookies ath_da=2, ath_username=<id>, and ath_ltoken=<ltoken>.
- <id> is an Athens userid. When using the gateway this is a randomly allocated string starting '_', e.g. _wplsf6omk2rfw7lfveb
- <ltoken> is the AthensDA 'L' token, used to maintain SSO session, e.g. %3CRlMlVeMTj8BvvBMx3w%3E
A zero-delay META-refresh then causes the browser to retrieve:
<returl>&ath_user=<id>&ath_ttok=<ttoken>
- <ttoken> is the AThensDA 'T' token, used to transfer the user's identity to the DSP, e.g. %3CRlK1EaMyq%2FIMcMjuAA%3E
which redirects to the real service URL.
Captured URLs
Real URLs captured during various interactions:
Default start
1. Starting with no cookies, login to Film & Sound @ http://www.filmandsound.ac.uk/. Choose 'Athens login'
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=42&y=14
2. redirect to
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=42&y=14
3. Displays Athens username & password box. Select 'Alternative Login'
https://auth.athensams.net/orglist.php?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND
4. Displays Athens HDDS chooser. Select 'Cardiff University' ('cos Cambridge not yet live)
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&oid=218
5. Displays 'Go to Cardiff University' page with 'Save on this computer. Click 'OK'
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&oid=218
6. redirect to
https://auth.athensams.net/?ath_action=setldom&id=https://idp.cardiff.ac.uk/shibboleth&ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D
7. Sets auth_ldom cookie, redirects to
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&ath_action=shaauth
8. redirect to
https://idp.cardiff.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=WlpjSDFUcHp5dDREMGZpQk34kltZLjGuSYUxm7fxxIlcNti8frex3VK3vKyylGgyyzGL6W5YzeAZmDt%2FVe6kyMQ36IzB5W3y%2FHNJTjDozxiJT5%2BI7MAwj0qTeGq4J3do8atjki5vpU%2B%2ByRN2WzeNYfzqmBRWH%2FTX96c1T8c9H5yEvu4W72Eq%2FcmseFd%2F%2FOQrGdJLay5qNu0dTh6tmK8Gu5WsrX9jCh8HZVxttqtt5aVQZdwLLW8Oz4RB19PVBz0M3tmfT58Kl2ffxqZEMJtIjXA2anf2XBpk80JmnrQJWNc%3D&time=1179728690&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk
9. Displays Cardiff's local authentication page
The same, as if from Cambridge
1. Fake the result of 4) above but choosing 'Cambridge' from the HDDS chooser by entering
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk
2. Displays 'Go to the Cambridge University login' page. Leave 'Remember this Org' checked. Click 'Go>>'
https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++
3. Redirects to
https://auth.athensams.net/?ath_action=setldom&id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D
4. Sets auth_ldom cookie, redirects to
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&ath_action=shaauth
5. Redirects to
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=ZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%2BkWkz2MtytmCl%2B0sgd12a3uByyf82zWgUB%2BcZe%2FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%2B80kq%2FuAcNARhOzkC8vyboZr6JEpHCm%2FfPZTvKgfZkXtMQ2YS4J%2FtwpOng%2Fo%2BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%2FPjxKKtsy9%2BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%3D&time=1179730412&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk
6. Redirects to
https://raven.cam.ac.uk/auth/authenticate.html?ver=1&url=https%3a%2f%2fshib.raven.cam.ac.uk%2fshibboleth-idp%2fSSO%3fshire%3dhttps%253A%252F%252Fauth.athensams.net%252Fsaml%252FPostRcv%26target%3dZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%252BkWkz2MtytmCl%252B0sgd12a3uByyf82zWgUB%252BcZe%252FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%252B80kq%252FuAcNARhOzkC8vyboZr6JEpHCm%252FfPZTvKgfZkXtMQ2YS4J%252FtwpOng%252Fo%252BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%252FPjxKKtsy9%252BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%253D%26time%3d1179730412%26providerId%3durn%253Amace%253Aeduserv.org.uk%253Aathens%253Afederation%253Auk&date=20070521T065333Z&desc=the%20University%20pilot%20Shibboleth%20service
7. Displays 'Raven confirmation'. Click Continue
https://raven.cam.ac.uk/auth/authenticate4.html
8. Redirects to
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?WLS-Response=1!200!!20070521T065751Z!1179730417-25013-8!https%3A%2F%2Fshib.raven.cam.ac.uk%2Fshibboleth-idp%2FSSO%3Fshire%3Dhttps%25253A%25252F%25252Fauth.athensams.net%25252Fsaml%25252FPostRcv%26target%3DZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%25252BkWkz2MtytmCl%25252B0sgd12a3uByyf82zWgUB%25252BcZe%25252FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%25252B80kq%25252FuAcNARhOzkC8vyboZr6JEpHCm%25252FfPZTvKgfZkXtMQ2YS4J%25252FtwpOng%25252Fo%25252BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%25252FPjxKKtsy9%25252BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%25253D%26time%3D1179730412%26providerId%3Durn%25253Amace%25253Aeduserv.org.uk%25253Aathens%25253Afederation%25253Auk!jw35!!pwd!33534!!2!IESCcka6W7SOI3Hp3X2.eoZP8CU32oUjgt0Y0PkfsSbY4RstzNmKBrEdF5UjYuC5JIcsZvA.W20mTmaVnsjq7qFi14rMD6wHPl1JCIO9EN3lZWkPKzTWDUwS8Ekrt.g60KPyJwnGEwJw7RFoMwKE8JQAS5HDyTZy6BNkhs5qnM4_
9. Sets Ucam-WebAuth-Session-S cookie, redirects to
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=ZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%2BkWkz2MtytmCl%2B0sgd12a3uByyf82zWgUB%2BcZe%2FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%2B80kq%2FuAcNARhOzkC8vyboZr6JEpHCm%2FfPZTvKgfZkXtMQ2YS4J%2FtwpOng%2Fo%2BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%2FPjxKKtsy9%2BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%3D&time=1179730412&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk
10. Sets JSESSIONID and shib_sp_<tandom hex> cookies. Displays 'Auth comlete, please wait' page. Posts to
https://auth.athensams.net/saml/PostRcv
11. Sets ath_da=2, ath_username=_<random hex>, ath_ltoken=<random hex>. Requests (via a no-delay META-refresh)
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFDOKP4WcWDnunpfQ%3E
12. Redirects to
http://service.filmandsound.ac.uk/WebZ/html/tan.html?sessionid=01-44028-1376784429&active=3
13. Displays Film and Sound's terms of use
Repeat, already authenticated
1. Try Film & Sound @ http://www.filmandsound.ac.uk/ again with all Athens cookies in place. Choose 'Athens login'
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=31&y=13
2. Redirects to
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=31&y=13
3. Via a zero-delay METTA-refresh, equests
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFHJqOzQzRuLRnNWw%3E
4. Redirects to
http://service.filmandsound.ac.uk/WebZ/html/tan.html?sessionid=01-44028-1817385508&active=3
5. Displays Film and Sound's terms of use
Repeat in new browser session
1. Try Film & Sound @ http://www.filmandsound.ac.uk/ again with only persistent Athens cookies in place. Choose 'Athens login'
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13
2. Redirects to
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13
3. Displays 'Continue to login' page. Select 'Cambridge University library' link
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&ath_action=shaauth
4. Redirects to
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk
5. Redirects to
https://raven.cam.ac.uk/auth/authenticate.html?ver=1&url=https%3a%2f%2fshib.raven.cam.ac.uk%2fshibboleth-idp%2fSSO%3fshire%3dhttps%253A%252F%252Fauth.athensams.net%252Fsaml%252FPostRcv%26target%3dYVdvdjFKQlFzUmVQVlExeQyQ5Sezpjz50d18RNO7SlWT0GWE%252BImfLfQxBYHDhtpVSAjPH1F8xGhzQg2LRwtwM4328%252Ft5aiHN23PcTYIHc98ZdwiftHXrN31DjkC3FdcVY%252Fvb6JZMG2p4Fd4lhbxPbWw450d2yMiy4IOhP9x%252FmJ5MwR8yTnRpCXbpXGrYiUG8oSXV4%252Bu9dk8Jz%252BgBkwuTq%252FQMUS%252BuqIR%252FNEgNpYuQISEIBMnRYzzXwHfWEzy00sdQ5vvXADWYq%252FXjG4VUirc%252B%252BQQd9zbQSracWmfHFa2Nw3I%253D%26time%3d1179756160%26providerId%3durn%253Amace%253Aeduserv.org.uk%253Aathens%253Afederation%253Auk&date=20070521T140240Z&desc=the%20University%20pilot%20Shibboleth%20service
5. Displays 'Raven confirmation'. Click 'Continue'
https://raven.cam.ac.uk/auth/authenticate4.html
6. Redirects to
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?WLS-Response=1!200!!20070521T072505Z!1179732172-25012-12!https%3A%2F%2Fshib.raven.cam.ac.uk%2Fshibboleth-idp%2FSSO%3Fshire%3Dhttps%25253A%25252F%25252Fauth.athensams.net%25252Fsaml%25252FPostRcv%26target%3DcFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%25252BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%25252FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%25252BjzT4Ge9f8wmnCywIFi%25252BWovXY1WTK431Dmf6hq9Xd4dyXh2b%25252Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%25252FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%25253D%26time%3D1179732171%26providerId%3Durn%25253Amace%25253Aeduserv.org.uk%25253Aathens%25253Afederation%25253Auk!jw35!!pwd!35802!!2!kllLpHThJRMfWGRzOa17SyUm1tZR5NAO90p0RrCT.1Eyi0jZk7mLWVO5EiRJkTnNIJEt.DuEA2p1hQrxeDl5Pk38om-3oWQjXP9iH21rm9xwLphfiqSZERwX1lBXmKCA1L2Mtc5UUvReUFLje-HTaMMQUc2c38Uivr8q.vksW5I_
7. Sets Ucam-WebAuth-Session-S cookie, redirects to
https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk
8. Sets JSESSIONID and shib_sp_<random hex> cookies. Displays 'Auth complete, please wait' page, posts to
https://auth.athensams.net/saml/PostRcv
9. Sets ath_da, ath_username, ath_ltoken cookies. Uses a zero-delay META-refresh to request
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFJmKPUztPFgr%2BvKA%3E
10. Redirects to
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFJmKPUztPFgr%2BvKA%3E
11. Displays F&S's T&Cs.
Access different site
1. African-American Poetry @ http://collections.chadwyck.co.uk/daap/htxview?template=basic.htx&content=frameset.htx. Select 'Athens users log in'
http://collections.chadwyck.co.uk/athens/
2. Somehow(?) redirect to
http://auth.athensams.net/?ath_returl=%22http%3A%2F%2Fcollections.chadwyck.co.uk%2FathensLogin%22&ath_dspid=CHADWYCK
3. Redirect to
https://auth.athensams.net/?ath_returl=%22http%3A%2F%2Fcollections.chadwyck.co.uk%2FathensLogin%22&ath_dspid=CHADWYCK
4. Via a zero-delay METTA-refresh, redirect to
http://collections.chadwyck.co.uk/athensLogin?ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFNfaOPC26cgSyPKw%3E
5. Redirect to
http://collections.chadwyck.co.uk/home/home_aap.jsp?template=basic.htx&content=frameset.htx
6. Display front page
Classic Athens, from clean start
1. Starting with no cookies, login to Film & Sound @ http://www.filmandsound.ac.uk/. Choose 'Athens login'
http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=25&y=4
2. Redirect to
https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=25&y=4
3. Displays Athens username/password page. Enter username/password, click login. Posts to the following with ath_uname and ath_passwd as POST parameters
https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND
4. Sets ath_username, ath_ltoken. Requests, via a zero-delay META-refresh
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=camtsjw35&ath_ttok=%3CRlFhI6NBcCQXmBz75w%3E