Using Shibboleth Identity Provider for Users Authenticated on an External Shibboleth System
Dave Eisen
dkeisen at sequoiars.com
Tue Sep 18 11:53:58 EDT 2012
I understand this, but this is disappointing to me for several reasons:
1. I want to centralize configuration so I do not have to have all client systems (our suite of hosted platforms) understand how to configure various types of authentication.
2. I want to centralize parsing of returned information so we do not have to have all client systems managing conversion of external data to a format useful for our applications. This is to some degree inevitable as the various applications might have different needs, but some centralization seems useful here.
3. I want a common API to provide to my application programmers who in general know nothing about authentication, SAML, LDAP, etc. What you're providing works, but does not meet this goal.
Dave.
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Christopher Bongaarts
Sent: Tuesday, September 18, 2012 8:05 AM
To: users at shibboleth.net
Subject: Re: Using Shibboleth Identity Provider for Users Authenticated on an External Shibboleth System
I think a more typical approach would be to set up your own IdP to handle the non-Shibboleth authentication sources, but have your SP use the third-party IdPs directly via a discovery mechanism of some sort.
On 9/17/2012 6:39 PM, Dave Eisen wrote:
> Greetings.
>
> I am looking to develop a centralized service to provide
> authentication services to all of my company's hosted platforms. The
> bulk of the users will need to be authenticated against third party
> systems local to their organization. Some of the organizations use
> LDAP, some use Shibboleth, some use other protocols. We do not at this
> time need to maintain our own internal login/password files.
>
> We will also need data acquisition services getting additional
> information about these users such as email address, street address,
> user type, etc.
>
> The natural way to implement this would be for my company to host our
> own Shibboleth Identity Provider which does whatever parsing and
> configuration management needed to support this feature and then sends
> the request for the "real" authentication to the third party that
> knows the user. It is natural, but I do not know if it is technically possible.
>
> It is clear from the Shibboleth documentation that I can forward an
> authentication request to an LDAP system. I'm wondering how I support
> users managed by a third party Shibboleth system.
>
> Is it possible to configure my Identity Provider to authenticate user
> foo using Shibboleth at bar.com's Identify Provider? Different
> Identity Providers for different users? How do I do this?
>
> Thanks.
>
> Dave Eisen
>
> Sequoia Retail Systems
>
> dkeisen at sequoiars.com<mailto:dkeisen at sequoiars.com>
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
>
--
%% Christopher A. Bongaarts %% cab at umn.edu<mailto:cab at umn.edu> %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120918/e76d94c8/attachment-0001.html
More information about the users
mailing list