trying again - post went missing...
does that mean every user who uses shibboleth/blackboard/webct
(anything that uses ldap authn) outside the institution needs a CAL?
Surely that would mean an SP needs a CAL too as it's doing exactly
what the user is doing - using the IdP to interact with a backend AD.
SSO for the user, getting attributes in the case of the SP.
Alistair
On 29 Apr 2008, at 16:26, Nigel Bruce wrote:
> No, the exact opposite :-)
>
> -----Original Message-----
> From: Discussion list for Shibboleth developments
> [mailto:[log in to unmask]] On Behalf Of Alistair Young
> Sent: 29 April 2008 16:14
> To: [log in to unmask]
> Subject: Re: AD, IdPs and MS licensing
>
> that interesting - does that mean an institution has to buy a CAL for
> its IdP if the IdP talks to AD via LDAP? But the users who access the
> IdP from home via browsers/hardware not owned by the institution are
> covered by the IdP's CAL?
>
> Alistair
>
>
> --
> mov eax,1
> mov ebx,0
> int 80h
>
>> Pete
>>
>> If you use AD for authenticating to Shibboleth from a device not
>> owned
>
>> by your University/College you theoretically need to buy a Windows
>> Client Access Licence (CAL) for that device. Campus (MCA) only covers
>> you for using AD from insititionally owned devices. In reality it is
>> not practical to do this so Microsoft 'allow' you to by an external
>> connector licence. You would need to buy one for each of your domain
>> controllers (unless you configure LDAP to only use a subset of them).
>> They're not that expensive. It doesn't matter that you are using LDAP
>> rather than NTLM.
>>
>> Some people have tried to argue that it is the Shibboleth server that
>> is doing the authentication and that you therefore only need to
>> licence the one device, i.e. the server. However this is called
>> 'multiplexing' in MS licensing parlance and is explicitly forbidden
>> :-)
>>
>> Cheers
>>
>> Nigel
>>
>> Nigel Bruce
>> Service Group Leader
>> Information Systems Services
>> University of Leeds
>> LEEDS, LS2 9JT
>> Tel. 0113 343 5384
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Discussion list for Shibboleth developments
>> [mailto:[log in to unmask]] On Behalf Of Steve Prentice
>> Sent: 29 April 2008 12:41
>> To: [log in to unmask]
>> Subject: Re: AD, IdPs and MS licensing
>>
>> Hi Pete,
>>
>> I just read your email with an interest and not sure if there were
>> any
>
>> replies?
>>
>> My assumption is that shibboleth (or the associated technologies
>> running an IdP) only use an LDAP lookup against AD, so wouldn't need
>> any type of licensing?
>>
>> Cheers,
>>
>> Steve
>> Richard Huish College
>>
>> -----Original Message-----
>> From: Discussion list for Shibboleth developments
>> [mailto:[log in to unmask]] On Behalf Of Pete Lettin
>> Sent: 25 April 2008 09:44
>> To: [log in to unmask]
>> Subject: Re: AD, IdPs and MS licensing
>>
>> Hi,
>>
>> We are currently trying to install a shibboleth test server
>> authenticating against AD.
>>
>> Did you ever get any information about MS licensing, do we need an
>> external connector license for shibboleth?
>>
>> Pete :-)
>>
>> Pete Lettin
>>
>> Senior Network Engineer
>> Doncaster College
>>
>> Please consider the environmental impact of needlessly printing this
>> e-mail
>>
>>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++
>> +++++++
>> This email is confidential and intended solely for the use of the
>> individual to whom it is addressed. Any views or opinions made are
>> solely those of the author and may not necessarily represent those of
>> Richard Huish College.
>>
>> If you are not the intended recipient, be advised that you have
>> received this email in error and that any use, dissemination,
>> forwarding, printing or copying of this email is strictly prohibited.
>> Please delete it and advise the sender directly.
>>
>> All email leaving and entering the College is electronically scanned
>> for viruses, SPAM, and other content that does not meet the College's
>> Acceptable Use Policy and may be automatically rejected or isolated
>> for inspection.
>>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++
>> +++++++
>>
--------------
mov eax,1
mov ebx,0
int 80h
|