But as I said, KeePass looks good. With some work, it could be altered to be centralised and compete with Citrix's SSO functionality.
True single sign on at least for web sites and what shibolleth is trying to do is you have one username and password and then you can sign into other resources using that
You are authenticated at your home site and the others see you as a valid user and present themselves to you.
The way forward has to be to use domain security / AD info at the heart of it, otherwise you will still be looking at one username and password to log on to a computer and then another one for everything else.
We are about 80% of the way there at the moment with domain security offering web based outlook, access to H: drives and online handbooks, helpdesks, photocopying booking system and subscription websites.
The only alternative username and password our staff need at the moment is for eportal - which I believe can be supported with AD integration but just not got around to it yet.
This is mainly built around our school website using iis security options. But much easier because we do not use the LEA mail or learning platform at the moment.
i agree with limbo....tie it all back to AD where possible. That's the simplest and most cost effective way... Most pbx systems, email, web portals allow for authentication against AD...it can't be that difficult to get most apps on board - even open source apps.
Regarding shibboleth, that obviously requires vendor participation but what does the sysadmin have to do...if it's primarily an application at LEA/RBC level does that preclude orgs from deploying their own shibboleth system ?
I think products similar to citrix sso is a quick and dirty method of reducing password sprawl, but as others have mentioned it is in no way a complete identity management solution - that's where shibboleth and vendor products come in, the only confusion i have surrounding shibboleth is it's user friendliness.
Whilst this is not a single sign on project as such, I have from time to tiime wish I had more time to look at the Fedora Directory Server Project. It seems to offer an LDAP/AD/Group synchronisation which is more of a MetaDirectory style solution.
I have also previously looked at Home | DirectSSO whilst investigating typo3 CMS.
Has anyone ever installed/used the Fedora System? As it look a promising approach for any system that supports ldap.
PS also http://openid.net/
Last edited by monkeyx; 15th July 2008 at 08:01 PM.
I haven't used this but what about Active Directory Federation Services? It might be more focused on web technologies.
Single Sign-On: A Developer's Introduction To Active Directory Federation Services
take alook at freeIPA, I suspect some day we'll replace our aging ActiveDirectory with this - unless the LA come to the rescue and offer us all MSCE's for Microsoft when they install their shibbolised MSAD
Main Page - Free IPA
I've not seen the Citrix solution before - it does look good but it looks as if it's just an automated way of remembering all the passwords (it talks about pre-provisioning secondary credentials). Anything with Citrix in the name tends to be expensive (but you do get what you pay for :-)) so other solutions might be better.
Lots of software can have LDAP authentication - Moodle does, for example, and it's relatively easy to do it so it ought to be an option in other packages (I think the MIS system we use has an LDAP option although we're not using it at the moment)
I'd guess it's worth talking to suppliers to see if they can do LDAP although it's going to be much harder for things external to you - handling secure collection of usernames and passwords isn't always easy and this is where Shibboleth comes in. If only I could understand where I start with it (but we have registered as an IdP so I'd guess that almost counts as a start!)
@cookie, monkey - thanks for the info....
didn't think about the Active Directory and Fedore directory 'add-ons' for SSO and federation. I'd imagine ADFS only plays nice with other M$ apps, the Fedora directory server - on the surface atleast - seems more promising. I believe the commercial Redhat directory server is based on the Netscape Directory Server which was highly scalable and truly 'enteprrise'...if fedora directory is the community project of that particular product it can only be good imo.
@steve - great minds and all that...i was just about to ask cybernerd about 'where to start' when it comes to shibboleth. Edited it because i assumed he would point me in the direction of the shiboleth bit at internet2 (and quite rightly so) but my brains starting to hurt at this time of the evening and i'd want the idiots guide to shibboleth 101 ;0) with examples of using apps we all know, love, hate and abuse - i'm thinking moodle, groupwise, exchange, sharepoint, asterisk etc
Can you have one identity/SSO solution for both internal and web facing stuff or is it as simple LDAP for inside/LAN, shibboleth for outside/WAN.
Last edited by torledo; 15th July 2008 at 08:35 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)