• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: used shibboleth
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: used shibboleth

  • Subject: Re: used shibboleth
  • From: Chuck Hill <email@hidden>
  • Date: Wed, 11 Mar 2009 20:58:15 -0700

On Mar 11, 2009, at 8:26 PM, TW wrote:

On Mar 11, 2009, at 7:37 PM, Chuck Hill wrote:


On Mar 11, 2009, at 6:31 PM, TW wrote:

All:

Our campus is going to be moving to shibboleth as the preferred sso authentication system for web apps. Has anyone here had any experience with deploying web objects apps behind this authentication mechanism? My understanding is that shibboleth really operates more at the apache/web server layer. Because of that I'm wondering what if anything really needs to be done at the app layer.

Any insights, opinions, experiences, etc., would be gladly accepted and appreciated.

Tim
Programmer/Analyst III, UCLA GSE&IS

Do you need to know who the user is, or just that they are authenticated?

Chuck

My apps will definitely need to know who the user is. Apparently, with shibboleth you can designate somehow that certain data gets sent back to the requesting server - I think in the http headers. So, I'm assuming that there's some intention to return something that will identify the user since other systems on campus are already using it. And I think I've read that campus wants to standardize what the returned items are. 

I'd think that a very good idea.


If it works as described, is sounds like it has the potential to make authentication to my apps easier if we choose to use this instead of our LDAP auth. Have you looked at or used shibboleth Chuck?


I have looked at it very briefly. I have worked with Cosign and WebAuth which are somewhat similar. Both of those return the sign-on ID in the REMOTE_USER header. Shibboleth, IIRC does not, or does not guarantee it (something about authenticated yet anonymous users?). It can make your apps easier write / manage. If you get a request (or an HTTPS protected request depending on configuration), then you can safely assume the request is from an authenticated user. From there it is a simple matter to examine the data (usually a HTTP header) to determine user identify.


Chuck


--
Chuck Hill             Senior Consultant / VP Development

Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems.
http://www.global-village.net/products/practical_webobjects






_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: used shibboleth

      • From: Daniel Beatty <email@hidden>
      • 





References: 


 >used shibboleth (From: TW <email@hidden>)


 >Re: used shibboleth (From: Chuck Hill <email@hidden>)


 >Re: used shibboleth (From: TW <email@hidden>)






    

  • Prev by Date:
Re: used shibboleth

    • 

  • Next by Date:
Get keyPath of a WO Object

    • 

  • Previous by thread:
Re: used shibboleth

    • 

  • Next by thread:
Re: used shibboleth

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •