Shibboleth Developers

[Chad La Joie <>]

Let me try to answer both in turn.

First, Shibbolizing Exchange.  With Exchange comes a set of software 
APIs for doing various Exchange extensions and one such extension used 
to be user authentication.  You'll have to forgive me, I can't remember 
what MS called the library, it's been a long time since I looked at 
Exchange.  So, if you wanted to do the development you should be able to 
customize Outlook Web Access to kick off a Shib process and then in 
theory create a custom component, using the above mentioned library, 
that would allow you to use the resultant authN response to log the user 
in.  Note that there were a lot of conditional clauses in there, I've 
never done this before so I could be way off base, but I did look in to 
it once and it seemed doable.

A second option MIGHT become available as part of the ADFS (Active 
Directory Federation Service, I think is the expansion of that) work 
that the Shibboleth development team and Microsoft are collaborating on. 
 I honestly know pretty close to nothing about ADFS so it's very 
possible that this work won't help.

So, second, about protecting the authentication to Shibboleth. 
Certainly you could use something like SecureID fobs.  Since the 
authentication is handled either by Apache or Tomcat (depending on how 
you set stuff up) you're free to use anything that either of those 
support.  I know Apache has modules for things like SecureID, 
client-cert, and numerous other multi-factor and/or non userid/password 
based authentication.

Hope this helps some.

james sankar wrote:
> Dear Shibboleth experts ;-)
>
> AARNet has recently set up a shibboleth IDP as part of the MAMS
> federation in Australia.
>
> We now want to move to a single sign on environment and make as much
> use of shibboleth as we can to learn/develop etc.
>
> One requirement is to shibbolise our mail server that is based on MS
> Exchange so that our staff can get access to web-based email using
> their single sign on LDAP password.  Has anyone done this and if so
> is any documentation or good advice available?
>
> In addition, some concerns were also raised about our users going to
> an Internet café and trying to access that way that may compromise
> usernames/passwords from Key loggers, what alternatives can
> shibboleth offer here, has anyone coupled RSA one time passwords with
> shibboleth to overcome this or are there other solutions you may know
> of?
>
> Thanks in advance
>
> James Sankar ----------------------------- Network Engineer -
> Middleware AARNet Pty Ltd Canberra, Australia
>
> Tel: 02 6222 3538 Fax: 02 6222 3535 Mobile: 0422 007 466 email:
>
>  
> SIP:

--
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124