Shibboleth is a HTTP based protocol. If the "client-server" application is 
web-based then Shibboleth is probably the correct choice because it will work 
without any special configuration to the web browser. If it's not web-based 
then Kerberos may be the better option.

/Ritchie

-----Original Message-----
From: Quanah Gibson-Mount [mailto:[EMAIL PROTECTED]
Sent: Thursday, 13 December 2007 6:37 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: ldap@listserver.itd.umich.edu
Subject: [ldap] Re: integrated authentication

Try shibboleth.

--On December 12, 2007 4:32:41 PM -0500 [EMAIL PROTECTED] wrote:

> Hallvard,
>
> If I choose "windows integrated authentication", then I am providing 
> single sign-on experience only for windows users. I am envisioning a 
> client organization having offices in NYC, London and Tokyo. Each 
> office has complete autonomy in setting up their protected domains 
> with firewalls. In this environment, our product, developed as a 
> client - server architecture must be deployed and work with single 
> sign-on experience. What it means is that some protected domain in NYC 
> office will host the server and an authorized user with valid 
> credential has already logged in into his machine which is part of a 
> protected domain in a Tokyo office. Assuming that the domain 
> controller in the Tokyo office and the NYC office supports LDAP 
> protocol (please note that I am not committing to any operating system 
> or directory server, so it could be openLDAP or windows Active 
> director or even a MAC open directory server). To provide single 
> sign-on experience for the authorized user of the Tokyo office, the 
> domain controller in Tokyo office, which authenticated the user, must 
> translate the user's credential into a fully qualified LDAP credential 
> and communicate it to the LDAP server in NYC (acting as the primary 
> domain controller for the whole organization). Since the user for 
> already authenticated by the DC in Tokyo office, the NYC DC trusts it 
> and consider the Tokyo user as authenticated for accessing the serer 
> in NYC and provides access for the user. This is what I want to achieve with 
> "single sign-on for LDAP".
>
> Ramesh


---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to