General guidance for new admin

[Mike Nielsen]

Hi list users!

I have inherited maintenance and management of Shibboleth for an SaaS
provider.

Having had no previous experience with it, I would be grateful if some kind
soul could provide me with some high-level guidance.

Up until now, the service (single SP) has had a single IdP -- an
internally-controlled Active Directory.  Sign-on has been via user id and
password, which are authenticated via LDAP to the AD.

Now, we would like to entertain several more use-cases:


   1. Users within the domain of a licensed client would like to have SSO
   capability -- authenticating to their web portal one time only, then having
   access to our SaaS without the need to again provide credentials;
   2. Some clients would like to be able to provide a user id/password to
   our login page, but have the user id's and passwords be from *their*
   authentication domains (i.e. corporate AD or whatever).  The list of
   clients doing this is fairly small.

Overall, we expect to have only a few distinct IdP's (<25).

I have perused the Shibboleth Wiki at great length, and am getting a little
lost in the complexity.  It seems like a very good reference, but I wasn't
able to specifically locate any How-To documentation on my use-cases.

We use the user's email address as their user name, and that can identify
the IdP for the user (after inspection: i.e. via the email domain) -- for
client privacy reasons we are unable to ask the user to select their
identity provider from a list.

What would really make my day is some general guidance on how to proceed
with the two new cases.  We can transition our existing authentication into
Case 1.

I have done a search on Amazon and haven't been able to find a book that
looks helpful, so any recommendations would also be gratefully received.

Warm regards,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170512/03c64c7a/attachment.html>