On 10/9/13 9:57 AM, "Sam Hartman" <[log in to unmask]> wrote:
>
>Scott noted that some sort of mechanism for doing mapping is required
>and he's not sure it should be the Shibboleth SP.
Not exclusively at least. I particularly believe the notion of
"local-login-user" needs to be standardized and a GSS naming attribute
defined for it.
>I honestly think the SP sounds like a really good candidate for that
>sort of mapping layer for non-Windows GSS-API.
>There really isn't anything. Kerberos has some hackish approaches as
>well as support for Microsoft PACs.
>The SP seems like one of the better approaches to this problem I've
>seen.
>Perhaps I'm missing reasons why that would be a bad idea.
My main concern is the overhead. I think for that to be a good long term
answer, some work is desirable to strip down/back the components involved
in the SP and particularly the configuration. There's a lot of Web SSO
overhead involved that isn't relevant to the use case.
And then secondly, I think we need the standardization of an extension
attribute for application uniformity when they are username-based. A
REMOTE_USER if you will.
-- Scott
|