General guidance for new admin
mnielsen894 at gmail.com
Fri May 12 12:38:04 EDT 2017
Hi list users!
I have inherited maintenance and management of Shibboleth for an SaaS
Having had no previous experience with it, I would be grateful if some kind
soul could provide me with some high-level guidance.
Up until now, the service (single SP) has had a single IdP -- an
internally-controlled Active Directory. Sign-on has been via user id and
password, which are authenticated via LDAP to the AD.
Now, we would like to entertain several more use-cases:
1. Users within the domain of a licensed client would like to have SSO
capability -- authenticating to their web portal one time only, then having
access to our SaaS without the need to again provide credentials;
2. Some clients would like to be able to provide a user id/password to
our login page, but have the user id's and passwords be from *their*
authentication domains (i.e. corporate AD or whatever). The list of
clients doing this is fairly small.
Overall, we expect to have only a few distinct IdP's (<25).
I have perused the Shibboleth Wiki at great length, and am getting a little
lost in the complexity. It seems like a very good reference, but I wasn't
able to specifically locate any How-To documentation on my use-cases.
We use the user's email address as their user name, and that can identify
the IdP for the user (after inspection: i.e. via the email domain) -- for
client privacy reasons we are unable to ask the user to select their
identity provider from a list.
What would really make my day is some general guidance on how to proceed
with the two new cases. We can transition our existing authentication into
I have done a search on Amazon and haven't been able to find a book that
looks helpful, so any recommendations would also be gratefully received.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users