attribs from db what jaas uses
Szerb, Tamas
toma at rulez.org
Wed Jun 25 18:10:44 EDT 2014
Scott,
regarding the name space what others also mentioned, do you mean the well
determined OIDs and URNs? Is there a recommended way for them? Because as I
understand that I can guarantee that the intersection of user stores is
nil, I can use the same attrib names.
Regarding SPs, they are usually able to use one IdP at the same time at
least I saw only these.
Cheers,
VWOL
Tamas SZERB <toma at rulez.org>
On Wed, Jun 25, 2014 at 11:58 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > OK, let me clarify the use case.
> >
> > 1) Authenticate against database
> > 2) If no user there, try to authenticate against LDAP
> > 3) if succeeded, then fetch the attribute from the data source where the
> > user authenticated.
>
> Then by definition your namespaces have to be unified, making (3)
> unnecessary. And in any case it's not possible, as several people have
> noted.
>
> > After investigating Shibboleth and the common practices (and other
> > products), I think that would be the appropriate approach, since the IdP
> > could be the common place where all the data aggregations would happen.
>
> That isn't really the "normal" advice, the major point of an IDM strategy
> is to it outside the IdP, but it's hardly uncommon. It still remains
> unnecessary to guarantee anything about which data source gets checked. You
> build a failover chain between the two data sources so that it always gets
> the data and it's fine.
>
> > Each SP can be configured to use only one IdP, so the method of using
> > different user/attrib stores would be up to the Shibboleth.
>
> I don't know what that means. It's not true, unless you're talking about
> your SPs and some particular constraint you have. SPs can use any IdPs they
> want to.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140626/70054ec6/attachment-0001.html
More information about the users
mailing list