SOCKET Technical blog for SOCKET http://www.agbooth.com/SOCKETBlog/www.socketelf.org_8080/roller/socket/feed/entries/atom 2008-05-06T18:15:30+01:00 Apache Roller (incubating) http://www.agbooth.com/SOCKETBlog/www.socketelf.org_8080/roller/socket/entry/qmshibb_software_released.html QMShibb - Software released Andrew G. Booth 2006-05-14T13:47:35+01:00 2007-09-10T19:20:06+01:00 <p>The QMShibb software is now released on the <a href="http://sourceforge.net/projects/socket">Socket Sourceforge site</a>. It is released as a .war file for deployment in Apache Tomcat. See the other items in this blog for details of how to install, configure, test and deploy QMShibb. Alternatively, full details are contained in the docs directory of the webapp obtained when the war file is deployed.</p> http://www.agbooth.com/SOCKETBlog/www.socketelf.org_8080/roller/socket/entry/qmshibb_installation_configuration_and_testing.html QMShibb - Installation, configuration and testing Andrew G. Booth 2006-05-13T12:26:39+01:00 2007-09-10T19:20:06+01:00 <p>QMShibb is a web application that can be installed and tested in Apache Tomcat. Here's how to do it. I assume that the Questionmark Web Integrated Services environment (QMWISE) is installed on the IIS server running Perception and that Tomcat has been installed.</p> <p><b>Setting up Perception and QMWISe for QMShibb</b></p> <p>Go to the directory that contains the configuration file for Perception, probably Perception\server, and open the file Perception.ini (or Perceptionv4.ini). Look for these entries in the Enterprise Manager section:</p> <pre style="font-size:10pt">Enable exlogin=0</pre> <pre style="font-size:10pt">Allow external EM entry =0</pre> <pre style="font-size:10pt">Simple EM checksum =0</pre> <p>Edit these to:</p> <pre style="font-size:10pt">Enable exlogin=1</pre> <pre style="font-size:10pt">Allow external EM entry =1</pre> <pre style="font-size:10pt">Simple EM checksum =1</pre> <p>There may be a section in this file that refers to QMWISe. If so, look for the following entries in that section:</p> <pre style="font-size:10pt">SecurityRequire=0 TrustRequire=0</pre> <p>Edit these to:</p> <pre style="font-size:10pt">SecurityRequire=1 TrustRequire=0</pre> <p>Now go to the directory that contains QMWISE, probably Perception\server\qmwise, and open the file Web.config in a text editor. Look for the entries:</p> <pre style="font-size:10pt">&lt;add key=&quot;SecurityRequire&quot; value=&quot;0&quot; /&gt;<br/>&lt;add key=&quot;TrustRequire&quot; value=&quot;0&quot; /&gt;</pre> <p>Edit these to:</p> <pre style="font-size:10pt">&lt;add key=&quot;SecurityRequire&quot; value=&quot;1&quot; /&gt;<br/>&lt;add key=&quot;TrustRequire&quot; value=&quot;0&quot; /&gt;</pre> <p>Save the file and use the Enterprise Manager to reset the Perception dlls.</p> <p><b>Installing and configuring QMShibb</b></p> <p>Download the file QMShibb.war from the <a href="http://sourceforge.net/projects/socket">SOCKET Sourceforge site</a>.</p> <p>Put this file in the webapps directory of Tomcat (e.g. c:\Program&nbsp;Files\Tomcat&nbsp;5.5\webapps). It will be automatically expanded with all of the directory structures and files needed.</p> <p>Go to the QMShibb WEB-INF directory (e.g. c:\Program&nbsp;Files\Tomcat&nbsp;5.5\webapps\QMShibb\WEB-INF) and open the file web.xml in a text editor. This file contains the configuration settings for QMShibb. Here is a description of the settings:</p> <table width="98%" border="0" cellspacing="0" > <tr> <td valign="top" width="50%"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; security &lt;/param-name&gt; &lt;param-value&gt; 1 &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> This parameter controls whether or not the QMWISe security header is sent in the SOAP request. You should set this to 1 if the header is to be sent or 0 if not. The recommended setting is 1. This is a required parameter. </ul></td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; ClientID &lt;/param-name&gt; &lt;param-value&gt; Manager &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> This parameter contains the username of a Perception administrator who has at least sufficient privilege to manage the server dlls and configure the server. This parameter is ignored if the security parameter is set to 0. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; checksum &lt;/param-name&gt; &lt;param-value&gt; xxxxxx &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> This parameter contains the security checksum. It is an MD5 digest of the concatenation of the username and encrypted password of the administrator whose username is present in the ClientID parameter. See below for a description of how the checksum is obtained. This parameter is ignored if the security parameter is set to 0. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; QMWISe-url &lt;/param-name&gt; &lt;param-value&gt; http://.../QMWISe/QMWISe.asmx &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> This parameter contains the URL of the QMWISe web service. This is a required parameter. The value can be obtained by running IIS Manager and then looking for the actual path of the virtual directory qmwise. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; test-mode &lt;/param-name&gt; &lt;param-value&gt; 1 &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> This parameter allows you to put QMShibb into test mode. This allows you to test QMShibb without having to put it behind a Shibboleth Service Provider. When this parameter is set to 1, QMShibb will generate Shibboleth attributes using the information in the following parameters. This parameter should be set to 0 for a production deployment. This is a required parameter. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; test-user &lt;/param-name&gt; &lt;param-value&gt; ADent &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The username of the fictional user in the Shibboleth attribute to be used in test mode. This parameter is ignored if the test-mode parameter is set to zero. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; test-firstname &lt;/param-name&gt; &lt;param-value&gt; Arthur &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The first name of the fictional user in the Shibboleth attribute to be used in test mode. This parameter is ignored if the test-mode parameter is set to zero. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; test-lastname &lt;/param-name&gt; &lt;param-value&gt; Dent &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The last name of the fictional user in the Shibboleth attribute to be used in test mode. This parameter is ignored if the test-mode parameter is set to zero. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; test-groups &lt;/param-name&gt; &lt;param-value&gt; test_group1;test_group2 &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The names of the fictional groups in the Shibboleth attribute used in test mode. This parameter is ignored if the test-mode parameter is set to zero. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; create-account &lt;/param-name&gt; &lt;param-value&gt; 1 &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> When this parameter is set to 1, QMShibb will create a new Perception participant account for the user whose username is present in the Shibboleth header defined below. If the parameter is set to 0, no automatic account creation will occur. This is a required parameter. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; join-existing-groups &lt;/param-name&gt; &lt;param-value&gt; 1 &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> When this parameter is set to 1, QMShibb will add the user whose username is present in the Shibboleth header defined below to any existing Perception group whose name matches one of the group names present in the Shibboleth header defined below. This parameter is ignored if the create-account parameter is set to 0. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; create-groups &lt;/param-name&gt; &lt;param-value&gt; 0 &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> When this parameter is set to 1, QMShibb will create a Perception group if its name matches one of the group names present in the Shibboleth header defined below and the group does not already exist. It will then add the user whose username is present in the Shibboleth header defined below to the newly-created or existing group. This parameter is ignored if the create-account parameter is set to 0 or the join-existing-group parameter is set to 1. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; username-attribute &lt;/param-name&gt; &lt;param-value&gt; HTTP_..._eduPersonPrincipalName &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The name of the Shibboleth attribute carrying the site-qualified username of the user. This is a required parameter. QMShibb will report an error if this Shibboleth header is not present in the HTTP request. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; fullname-attribute &lt;/param-name&gt; &lt;param-value&gt; HTTP_..._eduPersonNickname &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The name of the Shibboleth attribute carrying the full name of the user. This parameter is ignored if the firstname-attribute and lastname-attribute Shibboleth headers described below are both present in the HTTP request. If no Shibboleth header containing name information is present in the HTTP request, QMShibb will give the user the default name Anonymous User. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; firstname-attribute &lt;/param-name&gt; &lt;param-value&gt; HTTP_givenName &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The name of the Shibboleth attribute carrying the first name of the user. This parameter is not required if the full name of the user is delivered in the Shibboleth attribute defined in the fullname-attribute above. If no Shibboleth header containing name information is present in the HTTP request, QMShibb will give the user the default name Anonymous User. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; lastname-attribute &lt;/param-name&gt; &lt;param-value&gt; HTTP_sn &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The name of the Shibboleth attribute carrying the last name of the user. This parameter is not required if the full name of the user is delivered in the Shibboleth attribute defined in the fullname-attribute above. If no Shibboleth header containing name information is present in the HTTP request, QMShibb will give the user the default name Anonymous User. </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; groups-separator &lt;/param-name&gt; &lt;param-value&gt; ; &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The names of the groups to which the user belongs are delivered as a list in a single Shibboleth attribute. This parameter is used to define the list separator (e.g. a comma, colon or semicolon). </ul> </td> </tr> <tr> <td valign="top"> <ul> <pre style="font-size:10pt">&lt;context-param&gt; &lt;param-name&gt; groups-attribute &lt;/param-name&gt; &lt;param-value&gt; HTTP_urn:bodington:member &lt;/param-value&gt; &lt;/context-param&gt;</pre> </ul> </td> <td valign="top"> <ul> The name of the Shibboleth attribute carrying the list of groups to which the user belongs. This list will be used to create equivalent groups in Perception if the appropriate parameters are set above. </ul> </td> </tr> </table> <p>You need to provide the username of a Perception administrator who has at least sufficient privilege to manage the server dlls and configure the server. Edit the ClientID parameter to that username. You also need to edit the checksum parameter. QMWISe comes with a test harness program that is designed to generate the checksum from the administrator's username and password. At the time of writing, the checksums generated by this program are incorrect. You can contact Questionmark for help with generating checksums. In the US you can email <a href="mailto:support@questionmark.com">support@questionmark.com</a> and in the UK you should contact <a href="mailto:helpdesk@questionmark.co.uk">helpdesk@questionmark.co.uk</a>. If you have access to the installation of Microsoft SQL Server that hosts the Perception database, you can generate your own checksum as follows:</p> <p>Open the SQL Server management application and connect to the server. Select the Perception database and open the Tables item. Select the table whose name ends in User (e.g. dbo.G_User). Right-click on this item and select Open Table. You should be able to locate the username of your chosen administrator in the User Name column. Next to it is the Password column. This contains 16-digit numbers that are the encrypted form of the password. Note the number corresponding to your chosen administrator. Close the SQL Server Management application. Open a web browser and go to <a href="http://pajhome.org.uk/crypt/md5/">http://pajhome.org.uk/crypt/md5/</a>. In the input box type the username of the administrator followed immediately by the encrypted password. If you administrator's username is Admin and the encrypted password is 1234567887654321, then you should type Admin1234567887654321. The input is case-sensitive so make sure that the Caps Lock key on your keyboard is not on and make sure that there is no space between the username and the encrypted password. Now click on the MD5 button. The result is the checksum that you should enter in the checksum parameter in your web.xml file.</p> <p>Go back to your web.xml file and make sure that the QMWISe-url parameter is correct for your setup. Set the test-mode parameter to 1 and save the web.xml file. Then restart Tomcat.</p> <p><b>Testing QMShibb</b></p> <p>Open a browser. </p> <p>If your Tomcat is a standalone installation, go to the URL: </p> <ul>http://path_to_Tomcat:8080/QMShibb/getaccessassessmentlist</ul> <p>If you have installed Tomcat into IIS, go to the URL:</p> <ul> http://path_to_IIS/QMShibb/getaccessassessmentlist </ul> <p>There will be a slight delay while the servlet is instantiated, but then you should be directed to the Perception list of assessments for Arthur Dent. This will probably be empty.</p> <p>Open the Questionmark Enterprise Manager and look at the lists of Participants and Groups. Arthur Dent should now be one of your Participants and he should be the only member of a group called external_shibboleth_users. You can delete the Participant and the Group if you want to. Close the Enterprise Manager and go back to the directory containing the QMShibb web.xml file. Change the test-mode parameter to 0. Decide on a policy regarding automatic account and group creation and set the parameters appropriately. Save the web.xml file and restart Tomcat.</p> <p><b>Shibboleth and QMShibb</b></p> <p>Having established that QMShibb is working correctly, you must protect the servlets in the QMShibb directory. The easiest way to do this is to put the <a href="http://bmbsun08.leeds.ac.uk:8080/roller/page/socket?entry=shibboleth_enabling_questionmark_perception">QMShibb servlets</a> behind a <a href="http://www.guanxi.uhi.ac.uk/index.php/Service_Provider">Guanxi Service Provider Guard</a>. This approach has the advantage that it will work irrespective of the location of Tomcat - on the Perception server, a VLE server or a third server. Alternatively, if you have <a href="http://bmbsun08.leeds.ac.uk:8080/roller/page/socket?entry=qmshibb_installing_tomcat_with_iis">installed Tomcat into the IIS server running Perception</a>, you can install the <a href="http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-win2003.html">Internet2 Service Provider</a> and configure it to protect the QMShibb directory. Whichever method you choose, you will have to make sure that before you try using QMShibb, your Service Provider has exchanged the appropriate metadata and certificates with the Shibboleth Identity Provider(s) that you are going to use.</p> http://www.agbooth.com/SOCKETBlog/www.socketelf.org_8080/roller/socket/entry/qmshibb_installing_tomcat_with_iis.html QMShibb - Installing Tomcat with IIS 6 Andrew G. Booth 2006-05-12T13:58:19+01:00 2007-09-10T19:20:06+01:00 <p>Although QMShibb will work on any server running a servlet container, it is convenient to install it into IIS on the same server as that running QuestionMark Perception. Unfortunately, IIS is not a servlet container, so you must install Java and Tomcat, and then optionally install the Jakarta Tomcat Connector. Here's how to do it. I'm assuming that you are running Windows Server 2003 and IIS 6.0.</p> <p><b>Install Java</b></p> <p>Download the Java JDK 1.5 from <a href="http://java.sun.com/j2se/1.5.0/download.jsp">http://java.sun.com/j2se/1.5.0/download.jsp</a></p> <p>Choose a custom installation so that you can specify the installation location. I chose to install in c:\Program Files\Java</p> <p>When the Java JDK has installed, you need to set a couple of environment variables to ensure that Tomcat will work correctly. Click on the Windows Start button at the bottom left of your screen. Select Control Panel. In the Control panel, select System. This will bring up the System Properties dialog. Click on the Advanced tab and then on the Environment Variables button. Create a variable called JAVA_HOME and give it the value of the directory where you installed Java - in my case this is c:\Program Files\Java. Create another environment variable called CATALINA_HOME and give it the value c:\Program&nbsp;Files\Tomcat&nbsp;5.5 then close the environment variables dialog. Back in Control Panel, select the Java item. This will launch the Java Control Panel. Select the Update tab. Make sure that the Check for Updates Automatically box is unchecked. Close the Java Control Panel and the Windows Control Panel.</p> <p><b>Install Apache Tomcat</b></p> <p>Download the Windows Excutable from <a href="http://tomcat.apache.org/download-55.cgi">http://tomcat.apache.org/download-55.cgi</a>. At the time of writing the current version is 5.5.17.</p> <p>Run the installer and select a Full Installation.</p> <p>At the Choose Install Location dialog, enter c:\Program&nbsp;Files\Tomcat&nbsp;5.5</p> <p>At the Configuration Options, leave the port as 8080 (assuming you have nothing else running on that port) and change the password to a strong one that you can remember.</p> <p>At the Java Virtual Machine dialog, enter the path to your Java setup - in my case c:\Program&nbsp;Files\Java</p> <p>At the final dialog, click on the Finish button. Tomcat is now installed as service that will start automatically.</p> <p><b>Install the Jakarta Tomcat Connector</b></p> <p>It is not essential to install the Connector as Tomcat and IIS will coexist happily, each serving pages on their respective ports, 8080 and 80. However, it is convenient to arrange for IIS to receive all requests and to pass those for servlets to Tomcat while dealing with all other requests itself. In this case, all requests can address IIS and the users can ignore the issue of ports.</p> <p>The Apache Tomcat website has a complicated protocol for installing the connector, involving dangerous operations such as editing the registry. Mercifully, this is not necessary as there is a program you can download that handles most of the installation process. Download isapi_redirect.msi from <A href="http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.15/">http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.15/</a>. Run the installer and install the redirector to c:\Program&nbsp;Files\Tomcat&nbsp;5.5.</p> <p>Open IIS manager and check that there is a virtual directory called jakarta in the default web site. The virtual directory should point to c:\Program&nbsp;Files\Tomcat&nbsp;5.5\bin and it should contain the files isapi_redirect.dll and isapi_redirect.properties as well as some others. Check that there is a Web Service Extension called jakarta whose status is Allowed.</p> <p>Right-click on Default Web Site in the left pane. Select Properties. In the Default Web Site Properties dialog, click on the ISAPI Filters tab. There should be a filter called jakarta, but this step of the installation often fails. If it's not there, click on the Add... button. Give the filter the name jakarta, set the executable as c:\Program&nbsp;Files\Tomcat&nbsp;5.5\bin\isapi_redirect.dll and then click on OK.</p> <p>Go to the directory c:\Program&nbsp;Files\Tomcat&nbsp;5.5\conf and open the file server.xml in a text editor. Locate the line:</p> <pre style="font-size:10pt">&lt;Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /&gt;</pre> <p>Make sure that this entry is not commented out. Save the file.</p> <p>Open the file workers.properties in a text editor and edit its contents to the following: <pre style="font-size:10pt"> worker.list=wlb,jkstatus worker.ajp13w.type=ajp13 worker.ajp13w.host=localhost worker.ajp13w.port=8009 worker.wlb.type=lb worker.wlb.balance_workers=ajp13w worker.jkstatus.type=status </pre> <p>Save the file.</p> <p>Open the file uriworkers.properties in a text editor and edit its contents to the following: <pre style="font-size:10pt"> /admin/*=wlb /manager/*=wlb /jsp-examples/*=wlb /servlets-examples/*=wlb /QMShibb/*=wlb /jkmanager=jkstatus </pre></p> <p>Save the file.</p> <p>Now restart Tomcat and IIS. All requests for URLs containing the directories admin, manager, jsp-examples, servlets-examples and QMShibb will now be passed from IIS to Tomcat.</p> <p>To reiterate: these instructions show how to install Tomcat into the IIS server running Perception, but QMShibb can be installed into Tomcat running on any server - the server running Perception, the server running a Java-based VLE such as <a href="http://bodington.org">Bodington</a>, or an entirely separate server.</p> http://www.agbooth.com/SOCKETBlog/www.socketelf.org_8080/roller/socket/entry/shibboleth_enabling_questionmark_perception.html QMShibb - Shibboleth enabling Questionmark Perception Andrew G. Booth 2006-05-09T12:10:00+01:00 2007-09-10T19:20:06+01:00 <p>If you are interested in Shibboleth, then you are probably aware of the complex shuttling between the Service Provider (SP) and the Identity Provider (IdP) ultimately leading to a set of attributes emerging from the Service Provider and being presented to the Shibboleth-protected resource. (If this is all new to you, read the excellent introduction in the <a href="http://www.educause.edu/apps/eq/eqm04/eqm0442.asp?bhcp=1">Educause Quarterly</a>.)</p> <p>Let's assume that the user has tried to access a Shibboleth-protected resource. She has been intercepted by the SP and sent off to the WAYF which in turn sends her on to the IdP. She authenticates to the the IdP which then sends an authentication assertion to the SP. The SP responds by requesting the user's attributes from the IdP. But what happens when they arrive? Many diagrams of the Shibboleth authentication process simply end at this point with 'access to resource granted'. This may be the case if all that is necessary for access is for certain Shibboleth attributes to be present in the HTTP request. In this case the protected resource doesn't use the values of the attributes. It is enough to know for example that there is an attribute present that indicates that the user is a member of an organization that has paid a subscription for access to the resource.</p> <b>Shibboleth and e-Learning</b> <p>Shibboleth as originally developed has a very strong emphasis on protecting the user's privacy and not releasing more information than absolutely necessary. For example, as long as the user or her organization has paid a subscription, there is no need to release her identity to a publisher's website. However, this does not work in the world of e-learning where the protected resource might be a bulletin board or an online assessment system such as <a href="http://www.questionmark.com">Questionmark Perception</a>. Students need to be assessed. How can you assess a student if you don't know who she is? If you are accessing systems such as Questionmark Perception, then the minimum user attributes necessary will be some sort of system-specific identifier (e.g. a username), probably the student's real name and possibly an indication of the groups to which she belongs.</p> <b>Shibboleth and Questionmark Perception</b> <p>This means that you can't just put Perception behind a Shibboleth SP and expect it to work. You need another software component, a Resource Manager, that can extract the information from the Shibboleth attributes and pass it on to Perception in a form that it can use. Perception has web service called Questionmark Web Integration Services environment (QMWISe). This allows password-free access to much of Perception's functionality, including account and group creation, presentation of assessments and other administrative functions. As part of the SOCKET JISC eLF project, we have developed a resource manager that will allow Shibboleth attributes to be passed to QMWISe. The resource manager is called QMShibb.</p> <b>QMShibb</b> <p>Questionmark Perception is a Windows web application running within Microsoft Internet Information Server (IIS). We are primarily interested in interfacing Perception to our VLE, which uses the <a href="http://bodington.org">Bodington</a> software written in Java. Bodington has the advantage that it has both Shibboleth IdP and Shibboleth SP functionality built-in. QMShibb is a set of Java servlets which run in a servlet container that implements the Java Servlet Specification version 2.3 or above. It can be deployed on the same server as the VLE, <a href="http://bmbsun08.leeds.ac.uk:8080/roller/page/socket?entry=qmshibb_installing_tomcat_with_iis">the same server as Perception</a> or on a third server. There is no restriction on the domains in which the servers reside, but they should not use HTTP proxies.</p> <p>The preferred servlet container for QMShibb is Apache Tomcat. This can be installed as a standalone application, or it can be installed within Apache or IIS. In the latter case, it can be installed within the same installation of IIS as that running Perception.</p> <p>When QMShibb is installed behind a Shibboleth SP, it expects to find the following attributes in the HTTP request headers:</p> <ul>An attribute containing the user's principalName. This will usually take the form of a site-qualified username e.g. username@mysite.myuni.ac.uk This attribute is required and QMShibb will report an error if it is not present.</ul> <ul>A single attribute containing the user's real name or a pair of attributes containing the first and last names. If there is no name attribute, the user will be given the default name 'Anonymous User'</ul> <ul>An optional attribute containing a list of the names of groups to which the user belongs. The list separator character can be set in QMShibb's configuration file.</ul> <p>The names of the HTTP headers containing these attributes can be set in the configuration file. The configuration file also contains entries for setting the SOAP security header required by QMWISe. Other entries allow optional automatic participant account creation, automatic addition of the participant to existing groups within Perception, or the automatic creation of groups (with the same names as those in the Shibboleth attribute) and the addition of the participant to them.</p> <p>Currently, three servlets are provided with QMShibb. These are: <ul> <i>getaccessassessment</i><br> This servlet receives the Shibboleth attributes, carries out optional account/group creation and then redirects to a Perception assessment whose id is specified as a parameter in the request's query string. This servlet is accessed via a URL of the form: http://path.to.tomcat/QMShibb/getaccessassessment?assessment=1234567890<br/>The user is presented with the assessment as if she had logged into the perception.dll</ul> <ul> <i>getaccessassessmentlist</i><br> This servlet receives the Shibboleth attributes, carries out optional account/group creation and then redirects to the user's list of available Perception assessments. This servlet is accessed via a URL of the form: http://path.to.tomcat/QMShibb/getaccessassessmentlist<br/>The user is presented with the assessment list as if she had logged into the perception.dll</ul> <ul> <i>getaccessadministrator</i><br> This servlet receives the Shibboleth attributes of an existing Perception administrator, and redirects to the Perception Enterprise Manager without account or group creation. This servlet is accessed via a URL of the form: http://path.to.tomcat/QMShibb/getaccessadministrator<br/>The user is presented with the Enterprise Manager as if she had logged into it directly.</ul> <p>Here's an image of a Perception assessment accessed via Shibboleth (the <a href="http://www.guanxi.uhi.ac.uk/index.php/Guanxi">Guanxi</a> implementation)+QMShibb+QMWISe from the Bodington VLE.</p> <img src="http://www.agbooth.com/SOCKETBlog/www.socketelf.org_8080/roller/resources/socket/Image1.gif"/> <p>Following a conversation with John Kleeman, the Questionmark chairman, we modified the behaviour of the <i>getaccessassessment</i> and <i>getaccessassessmentlist</i> servlets. Both of these now ensure that the participant is added to the group 'external_shibboleth_users'. In addition, the <i>getaccessassessment</i> servlet checks to see if a schedule exists that links the user to the assessment. If not, then it creates a schedule that allows the user a single attempt at the assessment. For any further use of the assessment by that user a new schedule must be created.</p>