We would be very interested! I've read about this login handler which I
understand I'll basically have to deploy.
If you have a compiled krb5 apache mod_auth_kerb for testing purposes
that would be appreciated too :)
Thanks,
Dave
David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* * * Think about the environment - Do you really need to print this
email?>>> caleb racey <[log in to unmask]> 22/10/2012 15:27
>>>
The document simon pointed at you is a good first step to getting
Kerberos to work. Testing with mod_auth_kerb on it’s own is a good
way of checking your Kerberos config works before you look at setting
up the shibboleth kerebero login handler. In productions we don’t
use mod auth kerb we use the shibboleth Kerberos login handler that the
folks over in the swiss switch federation built. The problem with
mod_auth_kerb is the failover behaviour where is pops up the grey baci
auth box rather than forms based login (depends on which browser is
being used). We have managed to get work arounds for this and have
shibboleth with kereberos based “true single sign on” working and in
production.
We are happy to share details of our setup if you are interested
Cheers
Cal
Caleb Racey
Systems architecture manager & project manager gfivo
Newcastle University
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Simon Palmer
Sent: 22 October 2012 15:12
To: [log in to unmask]
Subject: Re: Kerberos to Shibboleth single signon
Hi David,
No, I'm not doing this, but here is what Newcastle Uni did:
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
fyi, if you can do similar:
We achieve desktop SSO because our idp's login page is "protected"
(SSO'd) using NetIQ Access Manager (Our institution's reverse proxy, LB,
ssl offload, SSO system).
Simon Palmer
Head of Development
Colegsirgâr
e-mail:
[log in to unmask]<mailto:[log in to unmask]>
tel: 01554 748088
www.colegsirgar.ac.uk<http://www.colegsirgar.ac.uk/>
>>> David Perry
<[log in to unmask]<mailto:[log in to unmask]>>
22/10/2012 14:35 >>>
Hi all
Does anyone have any experience deploying this? Onto a linux (SLES 10
SP4) IdP. I've installed the Kerberos client stuff (I *think* - got
krb5, krb5-32bit, krb5-client, yast2-kerberos-client packges installed),
but mod_auth_kerb for Apache won't build - it's complaining no Kerberos
environment is setup yet, probably because until IT figure out what
Kerberos ports are needed and these are opened, I can't configure the
client to talk to our AD server.
I've read the Kerberos login handler config example on this page:
https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler
(handler.xml configuration)
and am unsure what domains should go where in the krb:Realm sections
(there are two in this example, but we only want to talk to one
AD/Kerberos domain using one https:// - hosted IdP.
Do we only need 1 :Realm definition?
Thanks in advance for suggestions.
David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* * * Think about the environment - Do you really need to print this
email?
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College owns the email infrastructure, including the contents.
Hull College is committed to sustainability, please reflect before
printing this email.
**********************************************************************
[cid:image001.jpg@01CDB069.BEF05AD0]
Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at
sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu
sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o
anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar
gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol:
[log in to unmask]<mailto:[log in to unmask]>
Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any views or opinions expressed are solely those of the
author and do not necessarily represent those of Coleg Sir Gâr. If you
have received this email in error please notify the administrator on the
following address:
[log in to unmask]<mailto:[log in to unmask]>
Please consider the environment - do you really need to print this
email?
|