Infrastructure

See also #3394

We are now a (test) identity provider called "DataONE Test" -- https://test.cilogon.org/testidp/
I've tried both the browser-based and ECP-based authentication and both work great.
The identities we release are in the ou=Account tree of ldap.ecoinformatics.org so anyone with an account there should be able to authenticate via CILogon.

Next up: sociopolitical considerations for standing up an IdP "for real"

Deploying IdP on mn-demo-5.test.dataone.org¶

Installation source: /usr/share/shibboleth-identityprovider-2.3.8
$IDP_HOME: /opt/shibboleth-idp
Using SP metadata for InCommon ($IDP_HOME/conf/relying-party.xml): http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
Upped the valid range in the filter to 30 days (from 7 days) to allow InCommon metadata. Not requiring trust of their metadata because I'm not sure where to get their credential.

Configured "IdPAuthRemoteUser" using basic apache auth with LDAP in the apache site configuration. Needed to also set tomcatAuthentication="false" in the AJP connector (Tomcat server.xml)

Configure attribute filters:
https://spaces.internet2.edu/display/InCCollaborate/Configure+a+Shibboleth+IdP+to+Support+R+and+S

Configure attribute resolver for LDAP, using the attributes in the filter above (attribute-resolver.xml). Uses ou=Account tree when communicating with LDAP server.

Use aacli.sh to test the release of attributes. Had to copy servlet-api.jar into the shibboleth lib directory and include --requester=

Secure the ECP endpoint using http basic auth like before: /idp/profile/SAML2/SOAP/ECP
https://mn-demo-5.test.dataone.org/idp/profile/SAML2/SOAP/ECP

CILogon then needed our IdP metadata to set us up on their end as an IdP (in their test area). See the "DataONE Test" idp here: https://test.cilogon.org/testidp/