Skip to Content.
Sympa Menu

shibboleth-dev - Re: Shibboleth and MS Exchange

Subject: Shibboleth Developers

List archive

Re: Shibboleth and MS Exchange


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Cc: , , Clayton Forbes <>
  • Subject: Re: Shibboleth and MS Exchange
  • Date: Wed, 14 Sep 2005 21:17:05 -0400
  • Organization: UIS - Project Sentinel

Let me try to answer both in turn.

First, Shibbolizing Exchange. With Exchange comes a set of software APIs for doing various Exchange extensions and one such extension used to be user authentication. You'll have to forgive me, I can't remember what MS called the library, it's been a long time since I looked at Exchange. So, if you wanted to do the development you should be able to customize Outlook Web Access to kick off a Shib process and then in theory create a custom component, using the above mentioned library, that would allow you to use the resultant authN response to log the user in. Note that there were a lot of conditional clauses in there, I've never done this before so I could be way off base, but I did look in to it once and it seemed doable.

A second option MIGHT become available as part of the ADFS (Active Directory Federation Service, I think is the expansion of that) work that the Shibboleth development team and Microsoft are collaborating on. I honestly know pretty close to nothing about ADFS so it's very possible that this work won't help.

So, second, about protecting the authentication to Shibboleth. Certainly you could use something like SecureID fobs. Since the authentication is handled either by Apache or Tomcat (depending on how you set stuff up) you're free to use anything that either of those support. I know Apache has modules for things like SecureID, client-cert, and numerous other multi-factor and/or non userid/password based authentication.

Hope this helps some.

james sankar wrote:
Dear Shibboleth experts ;-)

AARNet has recently set up a shibboleth IDP as part of the MAMS
federation in Australia.

We now want to move to a single sign on environment and make as much
use of shibboleth as we can to learn/develop etc.

One requirement is to shibbolise our mail server that is based on MS
Exchange so that our staff can get access to web-based email using
their single sign on LDAP password. Has anyone done this and if so
is any documentation or good advice available?

In addition, some concerns were also raised about our users going to
an Internet café and trying to access that way that may compromise
usernames/passwords from Key loggers, what alternatives can
shibboleth offer here, has anyone coupled RSA one time passwords with
shibboleth to overcome this or are there other solutions you may know
of?

Thanks in advance

James Sankar ----------------------------- Network Engineer -
Middleware AARNet Pty Ltd Canberra, Australia

Tel: 02 6222 3538 Fax: 02 6222 3535 Mobile: 0422 007 466 email:


SIP:




--
Chad La Joie 315Q St. Mary's Hall
Project Sentinel 202.687.0124



Archive powered by MHonArc 2.6.16.

Top of Page