Shibboleth Developers

[Scott Cantor <>]

Lisa Tan wrote:
> Sorry, I've just realized I have overlooked your email yesterday. As you
> indicated the purpose of SSO, I think I am confused about SSO and LDAP
> authentication. 

Web SSO (if the first S is for "Single") means the user is prompted once 
to login but gets access to multiple web servers. This isn't possible 
for Shibboleth alone to guarantee, it depends on the authentication 
interface, which is managed by Tomcat or Apache in front of the IdP. If 
you just do LDAP and decide to ask for the password every time the user 
gets sent to the IdP, you won't get SSO.

> We are still in the beginning stage to understand Shibboleth and see how
> shibbolized environment provides more services to our campus. The only
> production application which I can think has immediately needs on Shibboleth
> is Globus. Currently Globus is using LDAP authentication with Kerberos
> plugin. 

Globus isn't purely web-based. The connection to Shibboleth is through 
other projects like GridShib and is not really something I feel 
qualified to comment on. That's why we continue to say if it's not a 
browser, it's not Shibboleth, end of story. It's simpler than trying to 
explain all the potential future directions.

> As you suggested before, I have two machines, one for IdP and one for SP.
> Based on all the above plus your point of view on Kerberos, what is the best
> approach to go? Should I set up stand alone IdP with stand alone CAS or
> Kerberos, or use Luminis Platform as IdP?

Well, I generally would never rely on an application to be the IdP 
except for some use case where it was managing the users. If your users 
are managed outside Luminis, I don't think I would use it as the IdP. 
Our IdP will also change and evolve and it will do so faster than they 
will provide updates to their version of it. I would keep the issues 
separate.

As for authentication, if you have CAS, that's fine. You still have to 
deal with CAS and determine how you want it to authenticate people 
though. Authentication is really a separate issue you should address 
based on other requirements. All I'm saying is that if you have both 
Kerberos and LDAP with the same set of users, there are trade-offs with 
either one as a back-end.

No matter what you pick, you can make the system appear to be doing SSO, 
but that requires some extra effort, whether it's using CAS or 
configuring things on the Shibboleth side.

-- Scott