Which handler LDAP SSO - NOW kerberos integration

Cantor, Scott cantor.2 at osu.edu
Wed Nov 19 12:51:55 EST 2014

On 11/19/14, 5:43 PM, "Morris, Andi" <amorris at cardiffmet.ac.uk> wrote:

>Very fair points, and I wasn't having a dig at anybody, or the project in 

I didn't take it that way in any sense, I just wanted to explain some of 
why it's not in the state we'd like.

>I'm going to have to get around this somehow as I just can't see the 
>internal departments being at all happy if I can't get integrated logon 
>working in the new version, when it worked in the old. So tomorrow, fresh 
>install, start again, and try to get spnego working once more.

As an option, you could do it in Apache with mod_auth_kerb worst case, and 
pass in REMOTE_USER.

But if you're saying that everybody accessing the IdP can use SPNEGO, then 
the error handling issues that make this so painful go away for the most 
part and it should be much cleaner either way. If not, the pain here is 
because SPNEGO (and HTTP authentication in general) is just badly designed 
for these kinds of environments.

-- Scott

More information about the users mailing list