Which handler LDAP SSO
amorris at cardiffmet.ac.uk
Tue Nov 11 07:44:00 EST 2014
Thanks. I have UsernamePassword configured at the moment and I'm having trouble getting the bind to work so that users can login, but I'll continue to work on that.
However, when running against test shib I'm being shown a login screen, as expected at the moment. When I have the ldap running correctly will the users still be shown this screen if they already currently have valid windows credentials or will I need to configure this with Kerberos? What we have at the moment is users being logged on without being prompted when they access a shibboleth resource internally.
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 11 November 2014 12:03
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO
* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-11 12:45]:
> I'm setting up a new Shibboleth IDP environment and I have some
> questions regarding the handlers. Our current environment is Windows
> based Apache Tomcat, and uses the RemoteUser handler which SSOs users
> against our active directory back end, although I can't find any info
> on how to configure RemoteUser to use LDAP.
It's RemoteUser as far as the IDP software is concerned. The LDAP authentification will be configured in Apache Tomcat then, which in turn speaks to your LDAP DSA.
> I'd like to move this to RedHat with Apache Tomcat and looking at the
> handlers in the wiki it actually seems that the username password
> handler would be better suited to what I need, however I'm not sure
> whether I can configure this for SSO. Is this possible? If not, is
> there any guidance on doing this with RemoteUser?
UsernamePassword is what you want.
SSO comes from the PreviousSession handler, which is enabled by default and doesn't need any additional configiuration, i.e. it will Just Work.
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users