Which handler LDAP SSO - NOW kerberos integration

Cantor, Scott cantor.2 at osu.edu
Wed Nov 19 12:18:17 EST 2014


On 11/19/14, 4:21 PM, "Morris, Andi" <amorris at cardiffmet.ac.uk> wrote:

>It's very surprising to me that there isn't a more "out of the box" 
>solution for integrated Kerberos login with Shibboleth. I do appreciate 
>the open source nature of the software however.

Use of desktop authentication on the web is very uncommon and is 
half-baked, with untenable error handling behavior, and operates with 
assumptions that don't hold in any large campus environments. If it were 
clean and failed gracefully, there would be more support for it. As it is, 
it's a mini-project to come up with anything tenable, and whatever we did 
would meet only a subset of enviromments' requirements.

Compare that to a form that accepts passwords.

Add in that using desktop authentication makes web logout even more 
impossible than it already is (and yet people still ask for it), and it 
renders features like forced authentication impossible. There are reasons 
why it doesn't fit well.

-- Scott



More information about the users mailing list