Random authentication question

Cantor, Scott cantor.2 at osu.edu
Fri Apr 29 13:38:18 EDT 2016

> We are using Shibboleth to SSO into AWS and OpenStack , neither are on
> domain so it's the perfect fit.
> - but that's were domain identity ends - logging into instances uses public
> keys and all sense of domain-ness is gone. (no admins, keys all over the place
> etc.)
>  Instances boot from generic images, but admins can configure default boot
> strapping actions
> Is there any role for Shibboleth for logging into cloud instances?

Can it technically work, sure. In practice none of the code for that is really widely available. The nominal standard for that is the SAML-EC GSS-API method I defined, and which the IdP supports the back-end portion of. But that takes openssh changes (I think) and libraries only avalable as research projects.

There's also Moonshot / ABFAB that uses RADIUS/EAP and can also leverage an IdP in limited fashion for attributes.

-- Scott

More information about the users mailing list