shibboleth-dev - RE: Shibboleth CAS LDAP Kerberos
Subject: Shibboleth Developers
List archive
- From: "Lisa Tan" <>
- To: <>
- Subject: RE: Shibboleth CAS LDAP Kerberos
- Date: Thu, 7 Jun 2007 10:45:34 -0400
Scott,
Sorry, I've just realized I have overlooked your email yesterday. As you
indicated the purpose of SSO, I think I am confused about SSO and LDAP
authentication.
Rethinking the authentication models in our campus, we are mainly using
Enterprise LDAP authentication and rest of homegrown "authentications" are
sort of cookie session management.
We are in the process of implementing Luminis Platform IV. The good news
from yesterday is SunGard has just provided Security SDK to integrate
Luminis, CAS and IdP, so the Shibboleth IdP uses the CAS session to do SSO.
Based on Luminis Platform Security SDK CAS and Shibboleth implementation
guide, I could configure CAS for setting up the Luminis Platform to be a
Shibboleth identity provider or to support an existing Shibboleth identity
provider.
We are still in the beginning stage to understand Shibboleth and see how
shibbolized environment provides more services to our campus. The only
production application which I can think has immediately needs on Shibboleth
is Globus. Currently Globus is using LDAP authentication with Kerberos
plugin.
As you suggested before, I have two machines, one for IdP and one for SP.
Based on all the above plus your point of view on Kerberos, what is the best
approach to go? Should I set up stand alone IdP with stand alone CAS or
Kerberos, or use Luminis Platform as IdP?
Thanks,
Lisa
-----Original Message-----
From: Scott Cantor
[mailto:]
Sent: Wednesday, June 06, 2007 4:05 PM
To:
Subject: Re: Shibboleth CAS LDAP Kerberos
Lisa Tan wrote:
> Am I correct that Shibboleth itself can do SSO? If yes, I should be able
to
> configure Shibboleth directly against LDAP, right?
No, not yet. Apache and Tomcat handle authentication, not Shibboleth.
SSO is about how web servers manage sessions, it's not really about
authentication per se.
You can connect Tomcat or Apache to LDAP in many ways, but as Tom said,
that's not the point. You don't start using LDAP just because Shibboleth
can use it, it's based on your overall requirements for authentication.
Speaking for myself, Kerberos, if you have it, is much more reliable and
simple to deal with from the Tomcat end of things. The downside out of
the box is that you can't easily allow for people to type "almost a
username" into the form, it's Kerberos principal or failure.
-- Scott
- Re: Location of SP Session Cache, André Cruz, 06/06/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/07/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/07/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/08/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/08/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/06/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/06/2007
- Re: Location of SP Session Cache, André Cruz, 06/07/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/07/2007
- Re: Location of SP Session Cache, André Cruz, 06/07/2007
Archive powered by MHonArc 2.6.16.