Can a single SP front multiple disparate applications?

Cantor, Scott cantor.2 at osu.edu
Fri Sep 6 14:29:17 EDT 2013


On 9/6/13 2:16 PM, "Bryan E. Wooten" <bryan.wooten at utah.edu> wrote:

>I guess my subject says it all.
> 
>We currently don¹t have single SP deployed on campus, many (100s) of our
>in house applications are using CAS.
> 
>Is it feasible to move them off CAS and behind one SP?

That would seem to be asking about a proxy front-end, which is really
independent of Shibboleth, since the SP wouldn't know anything about what
that server is proxying to specifically. Since I'm not sure that's what
you're really asking after, you may need to restate.

To put it another way, putting them behind one SP would be exactly the
same as putting them behind one CAS client, which presumably you didn't do
for a reason.

Possibly relevant:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPOneMany
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationMod
el

Since you're coming from the perspective of CAS, I will say that aside
from the obvious differences over what protocol and security features are
an acceptable minimum, the major design difference is that I actively
discourage any integration of authentication into application code (i.e.,
an API) while CAS certainly has that design goal. That is of course also
my major issue with OAuth and OpenID.

I would encourage use of mod_cas any day over writing code to integrate
with SAML via an API. I've said that before, and it's still my position,
and I have not seen anything that makes me rethink my position.

That's simply to frame your expectations as to why the SP is how it is.
It's not accidental.

-- Scott




More information about the users mailing list