Multiple Active Directories

Michael A Grady mgrady at unicon.net
Tue May 21 18:42:24 EDT 2019


> On May 21, 2019, at 5:28 PM, Peter Schober <peter.schober at univie.ac.at> wrote:
> 
> * Myn Harry <mynharry at gmail.com> [2019-05-21 21:47]:
>> Is there a way in Shibboleth to bind against both Active Directories for
>> authentications? Try College A, and next College B, for successful bind?
> 
> Note that unless you know that userids/netids (whatever subjects enter
> during authen on your IDPs login page) are unique across both
> directories that's potentially insecure.
> 
> (Only) If subjects are already forced to enter domain-qualified
> userids (e.g. user at example.org) during login would that be safe.
> 
> -peter
> 

Yes, if your namespaces are going to overlap, such that the username the users fill in is not unique between the 2 directories, another alternative to consider is to use the Unicon SplitAuthn extension, but then the user needs to choose which they want to use on the Login page. Or some similar approach. See:

 https://github.com/Unicon/ccc-shib-split-authn <https://github.com/Unicon/ccc-shib-split-authn>

That approach allows for tying the attribute source to the authentication source, so only one directory is accessed for both, based on the "realm" chosen by the user.

Or, as Peter suggests, make them enter domain-qualified userids as the username in the first place.

p.s. It is now being used with 3.4.x releases, so it will work with 3.4.x, need to get that page updated.

--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190521/8dfd6125/attachment.html>


More information about the users mailing list