Authentication Fail-over

Nate Klingenstein ndk at sudonym.me
Sat Apr 30 18:09:24 EDT 2016 

Joel,

I didn’t write it, but the flavor I get from that vignette is just salty.  The umami is about right here, but I think it’s more an explanation of why JAAS is not a natural and obvious language for this: it was never designed for the use cases it’s come to address in reality.

It was a primary configuration file format in IdPv2, but people shouldn’t use it today unless they need the features, which I suspect to be the ultimate font of all that.  Those features are why I still think it’s by far the easiest way to do what you’d like to do, and it’s been widely used for the purpose in deployment.

I wouldn’t hesitate on this basis.

Take care,
Nate.

> On Apr 30, 2016, at 16:00, Joel Levin <joel.aaron.levin at gmail.com> wrote:
> 
> Thanks Nate.
> 
> It's my first go with JAAS - reading passage below from - https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration <https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration> - does it mean that JAAS is not recommended for Shibboleth server-side? Thanks.
> 
> "The JAAS (Java Authentication and Authorization Service) is a desktop authentication mechanism in Java that has been commonly misappropriated as a server-side technology. A variety of "login module" plugins exist for different password-based technologies. Support is provided for using JAAS as a back-end for the password authentication login flow."
> 
> On Sat, Apr 30, 2016 at 12:49 AM, Nate Klingenstein <ndk at sudonym.me <mailto:ndk at sudonym.me>> wrote:
> Joel,
> 
> I think it would be easiest to accomplish this entire in JAAS.  It has the sufficiency and fallback capabilities that you’re looking for largely built-in.  Only if you want or need to interact further with the user would I try to do anything in the IdP itself.
> 
> Taking the late train,
> Nate.
> 
> > On Apr 29, 2016, at 18:05, Joel Levin <joel.aaron.levin at gmail.com <mailto:joel.aaron.levin at gmail.com>> wrote:
> >
> > Hi List:
> >
> > Is it possible to configure authentication such that -- if JAAS authenticationfails - authentication is via LDAP?
> >
> > Rationale: As accounts are create first in the DB versus LDAP - we wish to authenticate against the DB - but if DB is down - there can be  fail-over to LDAP.
> >
> > Thanks
> > --
> > To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160430/77df1932/attachment-0001.html>

More information about the users mailing list