Random authentication question
Cantor, Scott
cantor.2 at osu.edu
Fri Apr 29 13:38:18 EDT 2016
> We are using Shibboleth to SSO into AWS and OpenStack , neither are on
> domain so it's the perfect fit.
> - but that's were domain identity ends - logging into instances uses public
> keys and all sense of domain-ness is gone. (no admins, keys all over the place
> etc.)
> Instances boot from generic images, but admins can configure default boot
> strapping actions
> Is there any role for Shibboleth for logging into cloud instances?
Can it technically work, sure. In practice none of the code for that is really widely available. The nominal standard for that is the SAML-EC GSS-API method I defined, and which the IdP supports the back-end portion of. But that takes openssh changes (I think) and libraries only avalable as research projects.
There's also Moonshot / ABFAB that uses RADIUS/EAP and can also leverage an IdP in limited fashion for attributes.
-- Scott
More information about the users
mailing list