Shibboleth is a HTTP based protocol. If the "client-server" application is web-based then Shibboleth is probably the correct choice because it will work without any special configuration to the web browser. If it's not web-based then Kerberos may be the better option.
/Ritchie -----Original Message----- From: Quanah Gibson-Mount [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 December 2007 6:37 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: ldap@listserver.itd.umich.edu Subject: [ldap] Re: integrated authentication Try shibboleth. --On December 12, 2007 4:32:41 PM -0500 [EMAIL PROTECTED] wrote: > Hallvard, > > If I choose "windows integrated authentication", then I am providing > single sign-on experience only for windows users. I am envisioning a > client organization having offices in NYC, London and Tokyo. Each > office has complete autonomy in setting up their protected domains > with firewalls. In this environment, our product, developed as a > client - server architecture must be deployed and work with single > sign-on experience. What it means is that some protected domain in NYC > office will host the server and an authorized user with valid > credential has already logged in into his machine which is part of a > protected domain in a Tokyo office. Assuming that the domain > controller in the Tokyo office and the NYC office supports LDAP > protocol (please note that I am not committing to any operating system > or directory server, so it could be openLDAP or windows Active > director or even a MAC open directory server). To provide single > sign-on experience for the authorized user of the Tokyo office, the > domain controller in Tokyo office, which authenticated the user, must > translate the user's credential into a fully qualified LDAP credential > and communicate it to the LDAP server in NYC (acting as the primary > domain controller for the whole organization). Since the user for > already authenticated by the DC in Tokyo office, the NYC DC trusts it > and consider the Tokyo user as authenticated for accessing the serer > in NYC and provides access for the user. This is what I want to achieve with > "single sign-on for LDAP". > > Ramesh --- You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
