shibboleth-dev - Re: Shibboleth CAS LDAP Kerberos
Subject: Shibboleth Developers
List archive
- From: Scott Cantor <>
- To:
- Subject: Re: Shibboleth CAS LDAP Kerberos
- Date: Thu, 07 Jun 2007 11:22:13 -0400
Lisa Tan wrote:
Sorry, I've just realized I have overlooked your email yesterday. As you
indicated the purpose of SSO, I think I am confused about SSO and LDAP
authentication.
Web SSO (if the first S is for "Single") means the user is prompted once to login but gets access to multiple web servers. This isn't possible for Shibboleth alone to guarantee, it depends on the authentication interface, which is managed by Tomcat or Apache in front of the IdP. If you just do LDAP and decide to ask for the password every time the user gets sent to the IdP, you won't get SSO.
We are still in the beginning stage to understand Shibboleth and see how
shibbolized environment provides more services to our campus. The only
production application which I can think has immediately needs on Shibboleth
is Globus. Currently Globus is using LDAP authentication with Kerberos
plugin.
Globus isn't purely web-based. The connection to Shibboleth is through other projects like GridShib and is not really something I feel qualified to comment on. That's why we continue to say if it's not a browser, it's not Shibboleth, end of story. It's simpler than trying to explain all the potential future directions.
As you suggested before, I have two machines, one for IdP and one for SP.
Based on all the above plus your point of view on Kerberos, what is the best
approach to go? Should I set up stand alone IdP with stand alone CAS or
Kerberos, or use Luminis Platform as IdP?
Well, I generally would never rely on an application to be the IdP except for some use case where it was managing the users. If your users are managed outside Luminis, I don't think I would use it as the IdP. Our IdP will also change and evolve and it will do so faster than they will provide updates to their version of it. I would keep the issues separate.
As for authentication, if you have CAS, that's fine. You still have to deal with CAS and determine how you want it to authenticate people though. Authentication is really a separate issue you should address based on other requirements. All I'm saying is that if you have both Kerberos and LDAP with the same set of users, there are trade-offs with either one as a back-end.
No matter what you pick, you can make the system appear to be doing SSO, but that requires some extra effort, whether it's using CAS or configuring things on the Shibboleth side.
-- Scott
- Re: Location of SP Session Cache, André Cruz, 06/06/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/07/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/07/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/08/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/08/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/07/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Shibboleth CAS LDAP Kerberos, Scott Cantor, 06/06/2007
- RE: Shibboleth CAS LDAP Kerberos, Lisa Tan, 06/06/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/06/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/06/2007
- Re: Location of SP Session Cache, André Cruz, 06/07/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/07/2007
- Re: Location of SP Session Cache, André Cruz, 06/07/2007
- Re: Location of SP Session Cache, Scott Cantor, 06/07/2007
- Re: Location of SP Session Cache, André Cruz, 06/07/2007
Archive powered by MHonArc 2.6.16.