shibboleth-dev - RE: Setting up a shared Shibboleth IdP - can it be done?
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: Setting up a shared Shibboleth IdP - can it be done?
- Date: Wed, 19 Oct 2005 10:10:00 -0400
- Organization: The Ohio State University
> We'd base the location of the correct UsedDB on the username,
> which would have a part that identified the home organization
> of the user.
I think this aspect might be a big problem. Leaving aside the question of
why I should send my credentials outside of my organization, which might be
something you're already doing now anyway, expecting users to properly enter
things is usually a potential red flag to me.
I'd be inclined to say that users should self-select an institution first
(much like a WAYF). That's how I've seen similar systems work.
> My theory is that it can be done, and that it is possibly not
> doable straight "out of the box" through configurations, but
> would also entail some modifications to the code base.
I doubt there would be much other than coding the entire authentication
layer, which you have to do regardless. It might also be a problem actually
figuring out where to go get user attributes. Some kind of virtual LDAP
directory up front behind the AA might be more capable of federating the
attribute stores, perhaps.
-- Scott
- Setting up a shared Shibboleth IdP - can it be done?, nils . thommesen, 10/19/2005
- RE: Setting up a shared Shibboleth IdP - can it be done?, Scott Cantor, 10/19/2005
- RE: Setting up a shared Shibboleth IdP - can it be done?, Nils Andreas Thommesen, 10/19/2005
- RE: Setting up a shared Shibboleth IdP - can it be done?, Scott Cantor, 10/19/2005
- RE: Setting up a shared Shibboleth IdP - can it be done?, Nils Andreas Thommesen, 10/19/2005
- RE: Setting up a shared Shibboleth IdP - can it be done?, Scott Cantor, 10/19/2005
Archive powered by MHonArc 2.6.16.