Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] central authentication/authorization

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] central authentication/authorization

Chronological Thread 
  • From: <>
  • To: <>
  • Subject: RE: [grouper-users] central authentication/authorization
  • Date: Thu, 22 Jun 2006 15:50:53 +0100


Rather than connecting applications directly to your LDAP server(s) (the
multiplicity of them possibly being an issue here), a better solution would
be to use a campus-wide authentication service - which might be based on
CAS, PubCookie or several other open source or proprietary products.

Better still would be to enable your applications as Shibboleth
Service-Providers (using your campus-wide Shibboleth Identity-Provider
service, which in turn should use a campus authentication service), then you
have an extra level of indirection, and the ability to map user attributes
that are maintained in the LDAP(s) to attributes your applications will use
to base authorisation decisions on.

This is the sort of access management architecture in which (I think) Grouper
is designed to work best. It may also make it easier for you to use related
tools like Signet, to manage authorisation permissions centrally.

I also think you have people at Duke (but I'm not sure who right now) who are
actively involved in implementing Grouper, Signet, Shibboleth and the
architectures around them. They should be awake fairly soon now ;->

John Paschoud
InfoSystems Engineer
LSE Library
London School of Economics & Political Science, UK



Sent: Thu 22/06/06 14:19

Subject: [grouper-users] central authentication/authorization


I am an Analyst/Programmer in the Press Department at Duke University. I
am familiar with Java and LDAP.

I am wondering whether it is possible to use our campus-wide
authentication credentials for some of our newly developed web
applications (department level)? (in other words the same userid and
password). This will require access to the University LDAP server in
order to validate against the attributes centrally stored. Is it
realistic to ask for access to that server and to embed in our
departmental applications the necessary authentication procedures? Which
would be the steps to follow in order to implement a single sign-on
procedure? I should be able to get server information and an account to
access it?

I appreciate your feed-back on this,

Thank you,


Archive powered by MHonArc 2.6.16.

Top of Page