Shibboleth IdP v3.2.1 & LDAP+AD Authentication

Daniel Fisher dfisher at
Tue May 31 15:47:41 EDT 2016

On Tue, May 31, 2016 at 1:34 PM, Michael A Grady <mgrady at> wrote:

> But once you have to start replicating all that config, the advantage
> versus just going back to using JAAS to configure the multiple sources gets
> unclear. The JAAS config is simpler, but perhaps doesn't get you all the
> same account state options -- if you are going to use those. And it sounds
> like the JAAS options are going to get more flexible with 3.3 when it
> becomes available.

One advantage is performance. JAAS failover attempts DN resolution and
authentication against each directory in sequence (probably without
connection pooling). The AggregateDnResolver attempts DN resolution
concurrently, followed by a single authentication attempt (probably with
connection pooling). The configuration is certainly more complex, but
wiring together disparate directories isn't a simple thing.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list