Athens DA Protocol: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 1: Line 1:
{{shib-project}}
{{shib-project}}


As I understand it, the Shib->Athens gateway effectively uses EduServ's proprietary Athens DA protocol once you've actually authenticated. Details of the protocol are not available to the likes of us, but here are some notes on aspects of it that I have deduced.
When using the gateway, you are in effect using [http://www.athensams.net/local_auth/athensda AthensDA], except that the eXtensible Authentication Point (XAP) that would normally be run by the local site for AthensDA (see [http://www.athensams.net/upload/athens/pdf/da_integration_guide.pdf AthensDA integration guide]) is run for them by Athens but uses the local site's Shibboleth IdP to identify the local site's users. Because of this, there is quite a lot of useful information to be found in the [http://www.jiscmail.ac.uk/lists/athensda.html AthensDA JISCMail mailing list]
 
Details of the protocol between Athens and the XAP are available in the [http://www.athensams.net/upload/athens/pdf/da_integration_guide.pdf AthensDA integration guide]. Details of the protocol between Athens and the DSPs are not available to the likes of us, but this document contains some notes that relate to it.


==How it works==
==How it works==
Line 23: Line 25:
   Resource2 <-- Athens <--
   Resource2 <-- Athens <--


In practice, you are using [http://www.athensams.net/local_auth/athensda AthensDA], except that the eXtensible Authentication Point (XAP) that would normally be run by us under AthensDA (see [http://www.athensams.net/upload/athens/pdf/da_integration_guide.pdf AthensDA integration guide]) is run for us by Athens but uses our Shibboleth IdP to identify our users. Of course, our IdP uses Raven in turn. Becasue of this, there is quite a lot of useful information to be found in the [http://www.jiscmail.ac.uk/lists/athensda.html AthensDA JISCMail mailing list]
==Authentication sequences==
 
===Clean start===
 
Starting with no relevant cookies, choosing 'Athens login' takes you to
 
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
 
* <dspid> is the service providerid - e.g. EDINA.FILMSOUND
* <returl> is the URL to access once authentication is complete
 
This results in a redirect to the same URL over https, which displays the standard Athens user id/password box. Selecting 'Alternate login from there takes you to
 
https://auth.athensams.net/orglist.php?ath_returl=<returl>&ath_dspid=<dspid>
 
which displays the standard Athens HDDS organisation chooser. Selecting a particular organisation takes you to
 
https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>
 
* <providerid> is the selected identity provider's id
 
This displays a message confirming the institution and asking if you want to remember it (with a cookie) for the future. Clicking 'GO>>' (assuming you leave the remember box checked) takes you to
 
https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++
 
which redirects to
 
https://auth.athensams.net/?ath_action=setldom&id=<providerid>&ath_dspid=<dspid>&ath_returl=<returl>
 
which sets the ath_ldom cookie and redirects to
https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>&id=<prviderid>&ath_action=shaauth
 
Which redirects to the organisation's Shibboleth SSO handler. The ''target'' authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort. The organisation completes a Shibboleth authentication and posts the result to
 
https://auth.athensams.net/saml/PostRcv
 
The post contains a copy of the <target> from the request (and presumably an authentication response and other shib stuff?). This sets session cookies ath_da=2, ath_username=_<random hex>, and ath_ltoken=<random hex>. Somehow (another auto-submit form?) this causes the browser to retrieve:
 
<returl>&ath_user=<id>&ath_ttok=<tok>
 
* <id> is a randomly allocated 'athens id' starting '_', e.g. _wplsf6omk2rfw7lfveb, corresponding to ath_username
* <tok> is some sort of encoded token, e.g. %3CRlFJmKPUztPFgr%2BvKA%3E, corresponding to ath_ltoken
 
which redirects to the real service URL.
 
===Another site, while still logged-in===
 
Choosing 'Athens login' goes to
 
http://auth.athensams.net/?ath_returl=<returk>&ath_dspid=<dspid>
 
which redirects to the same URL over https, which somehow (auto-submit form?) causes the browser to request
 
<returl>?ath_user=<id>&ath_ttok=<tok>
 
which redirects to the real service URL.
 
===Any site, having quit and restart the browser===
 
Choosing 'Athens login' goes to
 
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
 
which redirects to the same URL over https: which displays the 'Continue to login' page. Selecting the main link takes you to
 
https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl> (?? - can't be right!!)
 
Which redirects to the organisation's Shibboleth SSO handler. The ''target'' authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort. The organisation completes a Shibboleth authentication and posts the result to
 
https://auth.athensams.net/saml/PostRcv
 
The post contains a copy of the <target> from the request (and presumably an authentication response and other shib stuff?). This sets session cookies ath_da=2, ath_username=_<random hex>, and ath_ltoken=<random hex>. Somehow (another auto-submit form?) this causes the browser to retrieve:
 
<returl>&ath_user=<id>&ath_ttok=<tok>
 
* <id> is a randomly allocated 'athens id' starting '_', e.g. _wplsf6omk2rfw7lfveb, corresponding to ath_username
* <tok> is some sort of encoded token, e.g. %3CRlFJmKPUztPFgr%2BvKA%3E, corresponding to ath_ltoken
 
which redirects to the real service URL.
 
===Classic Athens (for comparison)===
 
Choosing 'Athens login' takes you to
 
http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
 
This redirects to the same URL over https:, which displays the Athens username/password page. Entering a username/password and clicking login
 
https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND
 
4. Displays Athens Ts anc Cs page, select 'Accept', click continue
 
https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND
 
5. Sets ath_username, ath_ltoken. Somehow requests
 
http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=camtsjw35&ath_ttok=%3CRlFhI6NBcCQXmBz75w%3E
 
 
 


==Identifiers==
==Identifiers==

Revision as of 13:56, 21 May 2007

ShibbolethLogoColorSmall.png
WARNING: This page is retained as a historical record but is out-of-date and is not being maintained.

This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.

When using the gateway, you are in effect using AthensDA, except that the eXtensible Authentication Point (XAP) that would normally be run by the local site for AthensDA (see AthensDA integration guide) is run for them by Athens but uses the local site's Shibboleth IdP to identify the local site's users. Because of this, there is quite a lot of useful information to be found in the AthensDA JISCMail mailing list

Details of the protocol between Athens and the XAP are available in the AthensDA integration guide. Details of the protocol between Athens and the DSPs are not available to the likes of us, but this document contains some notes that relate to it.

How it works

When using the gateway you end up with a chain of 4 things, each (except the last) deferring identifying who you are to the next one:

 Resource1 --> Athens --> Raven/Shibboleth --> Raven ---
                                                        |
 Resource1 <-- Athens <-- Raven/Shibboleth <-- Raven <--

Each one remembers who you are if it's already seen you during the current browser session. For example you can keep on accessing the resource without further reference to Athens:

 Resource1 ---
              |
 Resource1 <--

and you can access a new Athens resource without further reference to Raven/Shibboleth

 Resource2 --> Athens ---
                         |
 Resource2 <-- Athens <--

Authentication sequences

Clean start

Starting with no relevant cookies, choosing 'Athens login' takes you to

http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>
  • <dspid> is the service providerid - e.g. EDINA.FILMSOUND
  • <returl> is the URL to access once authentication is complete

This results in a redirect to the same URL over https, which displays the standard Athens user id/password box. Selecting 'Alternate login from there takes you to

https://auth.athensams.net/orglist.php?ath_returl=<returl>&ath_dspid=<dspid>

which displays the standard Athens HDDS organisation chooser. Selecting a particular organisation takes you to

https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>
  • <providerid> is the selected identity provider's id

This displays a message confirming the institution and asking if you want to remember it (with a cookie) for the future. Clicking 'GO>>' (assuming you leave the remember box checked) takes you to

https://auth.athensams.net/setsite.php?ath_dspid=<dspid>&ath_returl=<returl>&id=<providerid>&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++

which redirects to

https://auth.athensams.net/?ath_action=setldom&id=<providerid>&ath_dspid=<dspid>&ath_returl=<returl>

which sets the ath_ldom cookie and redirects to

https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>&id=<prviderid>&ath_action=shaauth

Which redirects to the organisation's Shibboleth SSO handler. The target authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort. The organisation completes a Shibboleth authentication and posts the result to

https://auth.athensams.net/saml/PostRcv

The post contains a copy of the <target> from the request (and presumably an authentication response and other shib stuff?). This sets session cookies ath_da=2, ath_username=_<random hex>, and ath_ltoken=<random hex>. Somehow (another auto-submit form?) this causes the browser to retrieve:

<returl>&ath_user=<id>&ath_ttok=<tok>
  • <id> is a randomly allocated 'athens id' starting '_', e.g. _wplsf6omk2rfw7lfveb, corresponding to ath_username
  • <tok> is some sort of encoded token, e.g. %3CRlFJmKPUztPFgr%2BvKA%3E, corresponding to ath_ltoken

which redirects to the real service URL.

Another site, while still logged-in

Choosing 'Athens login' goes to

http://auth.athensams.net/?ath_returl=<returk>&ath_dspid=<dspid>

which redirects to the same URL over https, which somehow (auto-submit form?) causes the browser to request

<returl>?ath_user=<id>&ath_ttok=<tok>

which redirects to the real service URL.

Any site, having quit and restart the browser

Choosing 'Athens login' goes to

http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>

which redirects to the same URL over https: which displays the 'Continue to login' page. Selecting the main link takes you to

https://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl> (?? - can't be right!!)

Which redirects to the organisation's Shibboleth SSO handler. The target authentication request parameter, normally the URL of the eventual target of the authentication, appears to be an opaque string of some sort. The organisation completes a Shibboleth authentication and posts the result to

https://auth.athensams.net/saml/PostRcv

The post contains a copy of the <target> from the request (and presumably an authentication response and other shib stuff?). This sets session cookies ath_da=2, ath_username=_<random hex>, and ath_ltoken=<random hex>. Somehow (another auto-submit form?) this causes the browser to retrieve:

<returl>&ath_user=<id>&ath_ttok=<tok>
  • <id> is a randomly allocated 'athens id' starting '_', e.g. _wplsf6omk2rfw7lfveb, corresponding to ath_username
  • <tok> is some sort of encoded token, e.g. %3CRlFJmKPUztPFgr%2BvKA%3E, corresponding to ath_ltoken

which redirects to the real service URL.

Classic Athens (for comparison)

Choosing 'Athens login' takes you to

http://auth.athensams.net/?ath_dspid=<dspid>&ath_returl=<returl>

This redirects to the same URL over https:, which displays the Athens username/password page. Entering a username/password and clicking login

https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND

4. Displays Athens Ts anc Cs page, select 'Accept', click continue

https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND

5. Sets ath_username, ath_ltoken. Somehow requests

http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=camtsjw35&ath_ttok=%3CRlFhI6NBcCQXmBz75w%3E



Identifiers

The protocol apparently transfers at least the following to the content provider:

  • a user name. When using the gateway, the user name is a 20-character random string starting '_'; apparently there is no guarantee that these will always be the same for the same user, but at present they are.
  • a persistent unique ID. When using the gateway, this is based on the eduPersonTargetedID provided by Shib, though it's not the same
  • an Organisation_Id, identifying the user's home organization

URLs

Interesting examples:


See section 3.3.4 of the AthensDA integration guide.

 From: David Orrell <david.orrell@EDUSERV.ORG.UK>
 To: ATHENSDA@JISCMAIL.AC.UK
 Date: Fri, 13 Jan 2006 16:56:23 -0000

 ...In fact you can now, by appending
 '&ath_action=daauth&id={your_site_id}' to an Athens AAP URL.

 Eg. To access the OED:

 http://auth.athensams.net/?ath_dspid=OUP.OED&ath_returl=http%3A%2F%2Fdictionary.oed.com%2Fentrance.dtl&ath_action=daauth&id=={your_site_id}

 This does not set the ldom cookie. If you want to set the cookie at the same
 time, then you can use the method John suggests.
 From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK>
 To: ATHENSDA@JISCMAIL.AC.UK
 Date: Fri, 13 Jan 2006 15:08:44 -0000

 ...the setorg page ensuring the ath_ldom cookie is set and bypassing the HDDS pages.

 e.g.
 https://auth.athensams.net/?id=[site ID]&ath_returl=[persistent link URL]
 From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK>
 To: ATHENSDA@JISCMAIL.AC.UK
 Date: Tue, 14 Feb 2006 17:20:10 -0000

 ...
 The new service URL format is called a target resource locator (TRL),
 which uses a combination of:

 * the URL of the Athens authentication point (AP)
 * a TRL identifier
 * a resource identifier

 The basic format of a TRL is therefore:

 https://auth.athensams.net/trl/1.0/-/RESOURCE_ID

It looks as if adding ?ath_action=noHddsSession may bypass the HDD service and so allow someone logged in via the gateway to access a particular service using their Classic Athens account:

 From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK>
 To: JISC-SHIBBOLETH@JISCMAIL.AC.UK
 Date: Tue, 14 Feb 2006 17:20:08 -0000
 Subject: Access to services not compliant with Shibboleth - Athens gateway

 As some of you know, Eduserv have been working on a method of allowing
 users at Shibboleth IdPs to use Athens-protected services that do not
 meet Athens implementation standards...

 The fix developed by Eduserv allows a user from a Shibboleth IdP to log
 into non-gateway compliant services with a classic Athens account.  It
 uses a URL format called a target resource locator (TRL), which uses a
 combination of:

 * the URL of the Athens authentication point (AP)
 * a TRL identifier
 * a resource identifier
 * an extra parameter to pass at the Athens AP: ath_action=noHddsSession

 The basic format of a TRL is therefore:

 https://auth.athensams.net/trl/1.0/-/RESOURCE_ID?ath_action=noHddsSession

 A list of TRLs for non-gateway compliant services is below [...]

 Dialog DataStar
 https://auth.athensams.net/trl/1.0/-/DIALOG_DATASTAR?ath_action=noHddSession

 International Who's Who
 https://auth.athensams.net/trl/1.0/-/WORLD_WHO_WHO?ath_action=noHddSession

 JISC PDS
 https://auth.athensams.net/trl/1.0/-/PDS?ath_action=noHddSession

 LexisNexis Professional and Executive
 https://auth.athensams.net/trl/1.0/-/Lexis?ath_action=noHddSession

 Oxford Scholarship Online
 https://auth.athensams.net/trl/1.0/-/OUP_OSO?ath_action=noHddSession

 ProQuest
 https://auth.athensams.net/trl/1.0/-/PROQUEST?ath_action=noHddSession

RSS feed of available resources: https://auth.athensams.net/my/resources/rss (only available once authenticated?)

Cookies

  • ath_ldom, domain .athensams.net, expires 2012: contains providerID, appears to drive the Home Domain Discovery service. It may be that this can be set with, e.g., https://auth.athensams.net/?id=[site ID]&ath_returl=[persistent link URL]

Login Sequences

Default start

1. Starting with no cookies, login to Film & Sound @ http://www.filmandsound.ac.uk/. Choose 'Athens login'

http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=42&y=14

2. redirect to

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=42&y=14

3. Displays Athens username & password box. Select 'Alternative Login'

https://auth.athensams.net/orglist.php?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND

4. Displays Athens HDDS chooser. Select 'Cardiff University' ('cos Cambridge not yet live)

https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&oid=218

5. Displays 'Go to Cardiff University' page with 'Save on this computer. Click 'OK'

https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&oid=218

6. redirect to

https://auth.athensams.net/?ath_action=setldom&id=https://idp.cardiff.ac.uk/shibboleth&ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D

7. Sets auth_ldom cookie, redirects to

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=https%3A%2F%2Fidp.cardiff.ac.uk%2Fshibboleth&ath_action=shaauth

8. redirect to

https://idp.cardiff.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=WlpjSDFUcHp5dDREMGZpQk34kltZLjGuSYUxm7fxxIlcNti8frex3VK3vKyylGgyyzGL6W5YzeAZmDt%2FVe6kyMQ36IzB5W3y%2FHNJTjDozxiJT5%2BI7MAwj0qTeGq4J3do8atjki5vpU%2B%2ByRN2WzeNYfzqmBRWH%2FTX96c1T8c9H5yEvu4W72Eq%2FcmseFd%2F%2FOQrGdJLay5qNu0dTh6tmK8Gu5WsrX9jCh8HZVxttqtt5aVQZdwLLW8Oz4RB19PVBz0M3tmfT58Kl2ffxqZEMJtIjXA2anf2XBpk80JmnrQJWNc%3D&time=1179728690&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk

9. Displays Cardiff's local authentication page

The same, as if from Cambridge

1. Fake the result of 4) above but choosing 'Cambridge' from the HDDS chooser by entering

https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk

2. Displays 'Go to the Cambridge University login' page. Leave 'Remember this Org' checked. Click 'Go>>'

https://auth.athensams.net/setsite.php?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&originProfile=4&doLogin=1&remChk=1&submit=++++Go+%BB+++

3. Redirects to

https://auth.athensams.net/?ath_action=setldom&id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D

4. Sets auth_ldom cookie, redirects to

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&id=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Aprovider%3Acam.ac.uk&ath_action=shaauth

5. Redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=ZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%2BkWkz2MtytmCl%2B0sgd12a3uByyf82zWgUB%2BcZe%2FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%2B80kq%2FuAcNARhOzkC8vyboZr6JEpHCm%2FfPZTvKgfZkXtMQ2YS4J%2FtwpOng%2Fo%2BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%2FPjxKKtsy9%2BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%3D&time=1179730412&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk

6. Redirects to

https://raven.cam.ac.uk/auth/authenticate.html?ver=1&url=https%3a%2f%2fshib.raven.cam.ac.uk%2fshibboleth-idp%2fSSO%3fshire%3dhttps%253A%252F%252Fauth.athensams.net%252Fsaml%252FPostRcv%26target%3dZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%252BkWkz2MtytmCl%252B0sgd12a3uByyf82zWgUB%252BcZe%252FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%252B80kq%252FuAcNARhOzkC8vyboZr6JEpHCm%252FfPZTvKgfZkXtMQ2YS4J%252FtwpOng%252Fo%252BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%252FPjxKKtsy9%252BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%253D%26time%3d1179730412%26providerId%3durn%253Amace%253Aeduserv.org.uk%253Aathens%253Afederation%253Auk&date=20070521T065333Z&desc=the%20University%20pilot%20Shibboleth%20service

7. Displays 'Raven confirmation'. Click Continue

https://raven.cam.ac.uk/auth/authenticate4.html

8. Redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?WLS-Response=1!200!!20070521T065751Z!1179730417-25013-8!https%3A%2F%2Fshib.raven.cam.ac.uk%2Fshibboleth-idp%2FSSO%3Fshire%3Dhttps%25253A%25252F%25252Fauth.athensams.net%25252Fsaml%25252FPostRcv%26target%3DZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%25252BkWkz2MtytmCl%25252B0sgd12a3uByyf82zWgUB%25252BcZe%25252FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%25252B80kq%25252FuAcNARhOzkC8vyboZr6JEpHCm%25252FfPZTvKgfZkXtMQ2YS4J%25252FtwpOng%25252Fo%25252BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%25252FPjxKKtsy9%25252BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%25253D%26time%3D1179730412%26providerId%3Durn%25253Amace%25253Aeduserv.org.uk%25253Aathens%25253Afederation%25253Auk!jw35!!pwd!33534!!2!IESCcka6W7SOI3Hp3X2.eoZP8CU32oUjgt0Y0PkfsSbY4RstzNmKBrEdF5UjYuC5JIcsZvA.W20mTmaVnsjq7qFi14rMD6wHPl1JCIO9EN3lZWkPKzTWDUwS8Ekrt.g60KPyJwnGEwJw7RFoMwKE8JQAS5HDyTZy6BNkhs5qnM4_

9. Sets Ucam-WebAuth-Session-S cookie, redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=ZFA0aXhSZjhjNHhXV2MybasvguUrMSbNF5sQ4lSOgc6317IRIVcse4G3po0e%2BkWkz2MtytmCl%2B0sgd12a3uByyf82zWgUB%2BcZe%2FimgKgJzOET1vdzFFpZocqwozvWLt49CZggwR2eq%2B80kq%2FuAcNARhOzkC8vyboZr6JEpHCm%2FfPZTvKgfZkXtMQ2YS4J%2FtwpOng%2Fo%2BGtBTNjt5AEYUT0Btk7zcAiJ7DTYij53WZiAPFmabB4A%2FPjxKKtsy9%2BnS8XOU13ha3MPMPtxU4H5l9FD1hYCM0M10XbgFYcKGlXW0%3D&time=1179730412&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk

10. Sets JSESSIONID and shib_sp_<tandom hex> cookies. Displays 'Auth comlete, please wait' page. Posts to

https://auth.athensams.net/saml/PostRcv

11. Sets ath_da=2, ath_username=_<random hex>, ath_ltoken=<random hex>. Somehow(?) requests

http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFDOKP4WcWDnunpfQ%3E

12. Redirects to

http://service.filmandsound.ac.uk/WebZ/html/tan.html?sessionid=01-44028-1376784429&active=3

13. Displays Film and Sound's terms of use

Repeat, already authenticated

1. Try Film & Sound @ http://www.filmandsound.ac.uk/ again with all Athens cookies in place. Choose 'Athens login'

http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=31&y=13

2. Redirects to

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=31&y=13

3. Somehow(?) requests

http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFHJqOzQzRuLRnNWw%3E

4. Redirects to

http://service.filmandsound.ac.uk/WebZ/html/tan.html?sessionid=01-44028-1817385508&active=3

5. Displays Film and Sound's terms of use

Repeat in new browser session

1. Try Film & Sound @ http://www.filmandsound.ac.uk/ again with only persistent Athens cookies in place. Choose 'Athens login'

http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13

2. Redirects to

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13

3. Displays 'Continue to login' page. Select 'Cambridge University library' link

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=26&y=13

4. Redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk

5. Redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk

6. Displays 'Raven confirmation'. Click 'Continue'

https://raven.cam.ac.uk/auth/authenticate4.html

7. Redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?WLS-Response=1!200!!20070521T072505Z!1179732172-25012-12!https%3A%2F%2Fshib.raven.cam.ac.uk%2Fshibboleth-idp%2FSSO%3Fshire%3Dhttps%25253A%25252F%25252Fauth.athensams.net%25252Fsaml%25252FPostRcv%26target%3DcFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%25252BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%25252FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%25252BjzT4Ge9f8wmnCywIFi%25252BWovXY1WTK431Dmf6hq9Xd4dyXh2b%25252Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%25252FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%25253D%26time%3D1179732171%26providerId%3Durn%25253Amace%25253Aeduserv.org.uk%25253Aathens%25253Afederation%25253Auk!jw35!!pwd!35802!!2!kllLpHThJRMfWGRzOa17SyUm1tZR5NAO90p0RrCT.1Eyi0jZk7mLWVO5EiRJkTnNIJEt.DuEA2p1hQrxeDl5Pk38om-3oWQjXP9iH21rm9xwLphfiqSZERwX1lBXmKCA1L2Mtc5UUvReUFLje-HTaMMQUc2c38Uivr8q.vksW5I_

8. Sets Ucam-WebAuth-Session-S cookie, redirects to

https://shib.raven.cam.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fauth.athensams.net%2Fsaml%2FPostRcv&target=cFJ2aWhGTDRtNFZBcVZoSmylfpDG2jY1l1PO4zKMOxjqmUD7Cy%2BktbLd8K3TjeLkTDhgMNWFQoGDjKWt77selxYlANweI2BM47hiIv6M%2FcKlXrur1zSi3ngI7wbJawUAlhsIPdKqPKNYF0x%2BjzT4Ge9f8wmnCywIFi%2BWovXY1WTK431Dmf6hq9Xd4dyXh2b%2Bi2J4w5TOQ8dT86ur6M018xUcXKXpNrKGAJYKn55C3qLRzbEYF9KLGyeNybH6yX%2FzfgNU1dhg4LWqarDTSuV809SjCjQ52qSP8ADWzYBPFYg%3D&time=1179732171&providerId=urn%3Amace%3Aeduserv.org.uk%3Aathens%3Afederation%3Auk

9. Sets JSESSIONID and shib_sp_<random hex> cookies. Displays 'Auth complete, please wait' page, posts to

https://auth.athensams.net/saml/PostRcv

10. Sets ath_da, ath_username, ath_ltoken cookies. Somehow requests

http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFJmKPUztPFgr%2BvKA%3E

11. Redirects to

http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFJmKPUztPFgr%2BvKA%3E

12. Displays F&S's T&Cs.

Access different site

1. African-American Poetry @ http://collections.chadwyck.co.uk/daap/htxview?template=basic.htx&content=frameset.htx. Select 'Athens users log in'

http://collections.chadwyck.co.uk/athens/

2. Somehow(?) redirect to

http://auth.athensams.net/?ath_returl=%22http%3A%2F%2Fcollections.chadwyck.co.uk%2FathensLogin%22&ath_dspid=CHADWYCK

3. Redirect to

https://auth.athensams.net/?ath_returl=%22http%3A%2F%2Fcollections.chadwyck.co.uk%2FathensLogin%22&ath_dspid=CHADWYCK

4. Somehow(?) redirect to

http://collections.chadwyck.co.uk/athensLogin?ath_user=_wplsf6omk2rfw7lfveb&ath_ttok=%3CRlFNfaOPC26cgSyPKw%3E

5. Redirect to

http://collections.chadwyck.co.uk/home/home_aap.jsp?template=basic.htx&content=frameset.htx

6. Display front page

Classic Athens, from clean start

1. Starting with no cookies, login to Film & Sound @ http://www.filmandsound.ac.uk/. Choose 'Athens login'

http://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=25&y=4

2. Redirect to

https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=25&y=4

3. Displays Athens username/password page. Enter username/password, click login:

https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND

4. Displays Athens Ts anc Cs page, select 'Accept', click continue

https://auth.athensams.net/?ath_returl=http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D&ath_dspid=EDINA.FILMSOUND

5. Sets ath_username, ath_ltoken. Somehow requests

http://service.filmandsound.ac.uk/cgi-bin/filmandsoundlogin-sso?athens_sso=1&edina3=1&=&ath_user=camtsjw35&ath_ttok=%3CRlFhI6NBcCQXmBz75w%3E