Which handler LDAP SSO - NOW kerberos integration

Morris, Andi amorris at cardiffmet.ac.uk
Wed Nov 19 12:43:23 EST 2014

Very fair points, and I wasn't having a dig at anybody, or the project in general.

Unfortunately for me it's not uncommon in our environment. Users are transparently logged on to the majority of resources they access, with just a small few requiring an extra login form. We currently have Shibboleth running on Windows with SSPI integration, and have done for a few years now, but as mentioned I'm having trouble with it authenticating users when they have special characters in their password, hence the need to upgrade, and hopefully move the environment to Linux at the same time.

I'm going to have to get around this somehow as I just can't see the internal departments being at all happy if I can't get integrated logon working in the new version, when it worked in the old. So tomorrow, fresh install, start again, and try to get spnego working once more.


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: 19 November 2014 17:18
To: Shib Users
Subject: Re: Which handler LDAP SSO - NOW kerberos integration

On 11/19/14, 4:21 PM, "Morris, Andi" <amorris at cardiffmet.ac.uk> wrote:

>It's very surprising to me that there isn't a more "out of the box" 
>solution for integrated Kerberos login with Shibboleth. I do appreciate 
>the open source nature of the software however.

Use of desktop authentication on the web is very uncommon and is half-baked, with untenable error handling behavior, and operates with assumptions that don't hold in any large campus environments. If it were clean and failed gracefully, there would be more support for it. As it is, it's a mini-project to come up with anything tenable, and whatever we did would meet only a subset of enviromments' requirements.

Compare that to a form that accepts passwords.

Add in that using desktop authentication makes web logout even more impossible than it already is (and yet people still ask for it), and it renders features like forced authentication impossible. There are reasons why it doesn't fit well.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list