SP Without SSO...

John Mitchell jpmitchell at alaska.edu
Wed Sep 14 22:57:08 BST 2011


   I have an application owner that wants their SP to not support
SSO. So putting aside the issue of why someone would want this, it
appears to me that to create a configuration that truly supports this
is not really possible with the Shibboleth IdP. I created a
configuration where the SP session lifetime is very low and forceAuthN
is set and this gets pretty close but not quite. We have a use case
for an application where a user has two sets of credentials they want
to use with the application. One being more privileged than the other
(an admin account, and a non-admin account). With this configuration
the only way to make things work is to ask the IdP to logout the first
user so the second user can login since forceAuthN expects the user to
stay the same in the session. The user experience in this case when
the user goes to use other services integrated with the IdP is less
than optimal since the user expects to just be "logged-in" to the
other apps. Is there a way to support both use cases (SSO/no SSO) in
the same IdP with the current software? If not would it be feasible to
make it support this use case somehow? Currently I think the only way
to handle this is to have two IdPs, with one setup such that its
session lifetime is very low and another with a more normal session
lifetime and then allow SPs to choose which they wish to use. Any
ideas? Thanks for the input.

John P. Mitchell <jpmitchell at alaska.edu>

"All mankind is divided into three classes: those that are immovable,
those that are movable, and those that move." - Benjamin Franklin

More information about the users mailing list