Grouper Users - Open Discussion List

[<>]

Gavril,
 
Rather than connecting applications directly to your LDAP server(s) (the 
multiplicity of them possibly being an issue here), a better solution would 
be to use a campus-wide authentication service  - which might be based on 
CAS, PubCookie or several other open source or proprietary products.
 
Better still would be to enable your applications as Shibboleth 
Service-Providers (using your campus-wide Shibboleth Identity-Provider 
service, which in turn should use a campus authentication service), then you 
have an extra level of indirection, and the ability to map user attributes 
that are maintained in the LDAP(s) to attributes your applications will use 
to base authorisation decisions on.
 
This is the sort of access management architecture in which (I think) Grouper 
is designed to work best.  It may also make it easier for you to use related 
tools like Signet, to manage authorisation permissions centrally.
 
I also think you have people at Duke (but I'm not sure who right now) who are 
actively involved in implementing Grouper, Signet, Shibboleth and the 
architectures around them.  They should be awake fairly soon now ;->
 
John Paschoud
InfoSystems Engineer
LSE Library
London School of Economics & Political Science, UK

________________________________

From: 

 
[mailto:]
Sent: Thu 22/06/06 14:19
To: 

Subject: [grouper-users] central authentication/authorization



Hi,

I am an Analyst/Programmer in the Press Department at Duke University. I
am familiar with Java and LDAP.

I am wondering whether it is possible to use our campus-wide
authentication credentials for some of our newly developed web
applications (department level)? (in other words the same userid and
password). This will require access to the University LDAP server in
order to validate against the attributes centrally stored. Is it
realistic to ask for access to that server and to embed in our
departmental applications the necessary authentication procedures? Which
would be the steps to follow in order to implement a single sign-on
procedure? I should be able to get server information and an account to
access it?

I appreciate your feed-back on this,

Thank you,

Gavril