JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH Archives

JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH  October 2012

JISC-SHIBBOLETH October 2012

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: Kerberos to Shibboleth single signon

From:

David Perry <[log in to unmask]>

Reply-To:

Discussion list for Shibboleth developments <[log in to unmask]>

Date:

Mon, 22 Oct 2012 15:32:04 +0100

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (144 lines)

We would be very interested! I've read about this login handler which I
understand I'll basically have to deploy.
If you have a compiled krb5 apache mod_auth_kerb for testing purposes
that would be appreciated too :)

Thanks,
Dave

David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930





* * * Think about the environment - Do you really need to print this
email?>>> caleb racey <[log in to unmask]> 22/10/2012 15:27
>>>
The document simon pointed at you is a good  first step to getting
Kerberos to work.  Testing with mod_auth_kerb on it’s own is a good
way of checking your Kerberos config  works before you look at setting
up the shibboleth kerebero login handler.   In productions we don’t
use mod auth kerb we use the shibboleth Kerberos login handler that the
folks over in the swiss switch federation built.   The problem with
mod_auth_kerb is  the failover behaviour where is pops up the grey baci
auth box rather than forms based login (depends on which browser is
being used).   We have managed to get work arounds for this and have
shibboleth with kereberos based “true single sign on” working and in
production.
We are  happy to share details of our setup if you are interested
Cheers
Cal

Caleb Racey
Systems architecture manager & project manager gfivo
Newcastle University




From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Simon Palmer
Sent: 22 October 2012 15:12
To: [log in to unmask] 
Subject: Re: Kerberos to Shibboleth single signon

Hi David,
No, I'm not doing this, but here is what Newcastle Uni did:
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf

fyi, if you can do similar:
We achieve desktop SSO because our idp's login page is "protected"
(SSO'd) using NetIQ Access Manager (Our institution's reverse proxy, LB,
ssl offload, SSO system).




Simon Palmer
Head of Development

Colegsirgâr

e-mail:
[log in to unmask]<mailto:[log in to unmask]>
tel: 01554 748088
www.colegsirgar.ac.uk<http://www.colegsirgar.ac.uk/>
>>> David Perry
<[log in to unmask]<mailto:[log in to unmask]>>
22/10/2012 14:35 >>>
Hi all

Does anyone have any experience deploying this? Onto a linux (SLES 10
SP4) IdP. I've installed the Kerberos client stuff (I *think* - got
krb5, krb5-32bit, krb5-client, yast2-kerberos-client packges installed),
but mod_auth_kerb for Apache won't build - it's complaining no Kerberos
environment is setup yet, probably because until IT figure out what
Kerberos ports are needed and these are opened, I can't configure the
client to talk to our AD server.

I've read the Kerberos login handler config example on this page:
https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler
(handler.xml configuration)
and am unsure what domains should go where in the krb:Realm sections
(there are two in this example, but we only want to talk to one
AD/Kerberos domain using one https:// - hosted IdP.

Do we only need 1 :Realm definition?

Thanks in advance for suggestions.

David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930



* * * Think about the environment - Do you really need to print this
email?


**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before
printing this email.
**********************************************************************

[cid:image001.jpg@01CDB069.BEF05AD0] 
Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at
sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu
sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o
anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar
gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol:
[log in to unmask]<mailto:[log in to unmask]>
Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any views or opinions expressed are solely those of the
author and do not necessarily represent those of Coleg Sir Gâr. If you
have received this email in error please notify the administrator on the
following address:
[log in to unmask]<mailto:[log in to unmask]>
Please consider the environment - do you really need to print this
email?

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

November 2019
October 2019
September 2019
August 2019
June 2019
May 2019
March 2019
February 2019
January 2019
November 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
February 2017
January 2017
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
December 2015
November 2015
September 2015
August 2015
June 2015
April 2015
March 2015
February 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager