John Tang Boyland <[email protected]> writes: > Our institution uses "Shibboleth" for off campus authentication, > since it keeps the AD (and thus kerberos) servers hidden behind > a firewall. Does anyone know how to have OpenAFS use Shibboleth > for authentication?
The short version is that you can't. The long version is that Shibboleth per se is specifically and exclusively for web authentication and doesn't support authenticating any other protocol. It does use an underlying security protocol called SAML that could be used to authenticate other protocols. However, you then still have three problems: 1. So far, the work to use SAML for other protocols is at a very preliminary phase, although in progress. For something like AFS, you would want to have a GSS-API profile for SAML, which I believe some people may be working on, but which is far from ready to use. 2. The current releases of AFS only support Kerberos through AFS's internal rxkad security protocol. You have to use direct Kerberos; nothing else is supported. Work is underway on a new AFS security protocol called rxgk, which would allow use of any GSS-API protocol for AFS authentication. However, this work is not yet complete or ready to deploy. 3. It's unlikely any of your existing Shibboleth infrastructure can do "pure" SAML for use with another protocol right now. You'd have to write local glue to do that. (It's possible someone else has already done this.) Note that you'd have the same issue with any other file system protocol that I'm aware of. I don't think either NFS or CIFS could support SAML authentication at this point either. (Although I'm not sure what the state of CIFS is in combination with Microsoft's federation support.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
