Shibboleth Developers

[Scott Cantor <>]

Lisa Tan wrote:
> Am I correct that Shibboleth itself can do SSO? If yes, I should be able to
> configure Shibboleth directly against LDAP, right?

No, not yet. Apache and Tomcat handle authentication, not Shibboleth. 
SSO is about how web servers manage sessions, it's not really about 
authentication per se.

You can connect Tomcat or Apache to LDAP in many ways, but as Tom said, 
that's not the point. You don't start using LDAP just because Shibboleth 
can use it, it's based on your overall requirements for authentication.

Speaking for myself, Kerberos, if you have it, is much more reliable and 
simple to deal with from the Tomcat end of things. The downside out of 
the box is that you can't easily allow for people to type "almost a 
username" into the form, it's Kerberos principal or failure.

-- Scott