Using Shibboleth Identity Provider for Users Authenticated on an External Shibboleth System

Dave Eisen dkeisen at sequoiars.com
Tue Sep 18 11:53:58 EDT 2012


I understand this, but this is disappointing to me for several reasons:



1.       I want to centralize configuration so I do not have to have all client systems (our suite of hosted platforms) understand how to configure various types of authentication.

2.       I want to centralize parsing of returned information so we do not have to have all client systems managing conversion of external data to a format useful for our applications. This is to some degree inevitable as the various applications might have different needs, but some centralization seems useful here.

3.       I want a common API to provide to my application programmers who in general know nothing about authentication, SAML, LDAP, etc. What you're providing works, but does not meet this goal.

Dave.



-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Christopher Bongaarts
Sent: Tuesday, September 18, 2012 8:05 AM
To: users at shibboleth.net
Subject: Re: Using Shibboleth Identity Provider for Users Authenticated on an External Shibboleth System



I think a more typical approach would be to set up your own IdP to handle the non-Shibboleth authentication sources, but have your SP use the third-party IdPs directly via a discovery mechanism of some sort.



On 9/17/2012 6:39 PM, Dave Eisen wrote:

> Greetings.

>

> I am looking to develop a centralized service to provide

> authentication services to all of my company's hosted platforms. The

> bulk of the users will need to be authenticated against third party

> systems local to their organization. Some of the organizations use

> LDAP, some use Shibboleth, some use other protocols. We do not at this

> time need to maintain our own internal login/password files.

>

> We will also need data acquisition services getting additional

> information about these users such as email address, street address,

> user type, etc.

>

> The natural way to implement this would be for my company to host our

> own Shibboleth Identity Provider which does whatever parsing and

> configuration management needed to support this feature and then sends

> the request for the "real" authentication to the third party that

> knows the user. It is natural, but I do not know if it is technically possible.

>

> It is clear from the Shibboleth documentation that I can forward an

> authentication request to an LDAP system. I'm wondering how I support

> users managed by a third party Shibboleth system.

>

> Is it possible to configure my Identity Provider to authenticate user

> foo using Shibboleth at bar.com's Identify Provider? Different

> Identity Providers for different users? How do I do this?

>

> Thanks.

>

> Dave Eisen

>

> Sequoia Retail Systems

>

> dkeisen at sequoiars.com<mailto:dkeisen at sequoiars.com>

>

>

>

> --

> To unsubscribe from this list send an email to

> users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

>





--

%%  Christopher A. Bongaarts   %%  cab at umn.edu<mailto:cab at umn.edu>          %%

%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%

%%  University of Minnesota    %%  +1 (612) 625-1809    %%

--

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120918/e76d94c8/attachment-0001.html 


More information about the users mailing list