[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: Authentication Fail-over
From: Nate Klingenstein <ndk () sudonym ! me>
Date: 2016-04-30 22:09:24
Message-ID: 56C52118-7877-440E-A700-5B3AC4A9D37B () sudonym ! me
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Joel,
I didn't write it, but the flavor I get from that vignette is just salty. The umami \
is about right here, but I think it's more an explanation of why JAAS is not a \
natural and obvious language for this: it was never designed for the use cases it's \
come to address in reality.
It was a primary configuration file format in IdPv2, but people shouldn't use it \
today unless they need the features, which I suspect to be the ultimate font of all \
that. Those features are why I still think it's by far the easiest way to do what \
you'd like to do, and it's been widely used for the purpose in deployment.
I wouldn't hesitate on this basis.
Take care,
Nate.
> On Apr 30, 2016, at 16:00, Joel Levin <joel.aaron.levin@gmail.com> wrote:
>
> Thanks Nate.
>
> It's my first go with JAAS - reading passage below from - \
> https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration \
> <https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration> - \
> does it mean that JAAS is not recommended for Shibboleth server-side? Thanks.
> "The JAAS (Java Authentication and Authorization Service) is a desktop \
> authentication mechanism in Java that has been commonly misappropriated as a \
> server-side technology. A variety of "login module" plugins exist for different \
> password-based technologies. Support is provided for using JAAS as a back-end for \
> the password authentication login flow."
> On Sat, Apr 30, 2016 at 12:49 AM, Nate Klingenstein <ndk@sudonym.me \
> <mailto:ndk@sudonym.me>> wrote: Joel,
>
> I think it would be easiest to accomplish this entire in JAAS. It has the \
> sufficiency and fallback capabilities that you're looking for largely built-in. \
> Only if you want or need to interact further with the user would I try to do \
> anything in the IdP itself.
> Taking the late train,
> Nate.
>
> > On Apr 29, 2016, at 18:05, Joel Levin <joel.aaron.levin@gmail.com \
> > <mailto:joel.aaron.levin@gmail.com>> wrote:
> > Hi List:
> >
> > Is it possible to configure authentication such that -- if JAAS \
> > authenticationfails - authentication is via LDAP?
> > Rationale: As accounts are create first in the DB versus LDAP - we wish to \
> > authenticate against the DB - but if DB is down - there can be fail-over to \
> > LDAP.
> > Thanks
> > --
> > To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net \
> > <mailto:users-unsubscribe@shibboleth.net>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net \
> <mailto:users-unsubscribe@shibboleth.net>
> --
> To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class="">Joel,<div class=""><br \
class=""></div><div class="">I didn't write it, but the flavor I get from that \
vignette is just salty. The umami is about right here, but I think it's more an \
explanation of why JAAS is not a natural and obvious language for this: it was never \
designed for the use cases it's come to address in reality.</div><div class=""><br \
class=""></div><div class="">It was a primary configuration file format in IdPv2, but \
people shouldn't use it today unless they need the features, which I suspect to be \
the ultimate font of all that. Those features are why I still think it's by far \
the easiest way to do what you'd like to do, and it's been widely used for the \
purpose in deployment.</div><div class=""><br class=""></div><div class="">I wouldn't \
hesitate on this basis.</div><div class=""><br class=""></div><div class="">Take \
care,</div><div class="">Nate.</div><div class=""><br class=""><div><blockquote \
type="cite" class=""><div class="">On Apr 30, 2016, at 16:00, Joel Levin <<a \
href="mailto:joel.aaron.levin@gmail.com" class="">joel.aaron.levin@gmail.com</a>> \
wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" \
class=""><div class="">Thanks Nate.<br class=""><br class=""></div>It's my first go \
with JAAS - reading passage below from - <a \
href="https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration" \
class="">https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration</a> \
- does it mean that JAAS is not recommended for Shibboleth server-side? Thanks.<br \
class=""><div class=""><div class=""><br class="">"<span \
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:norm \
al;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text- \
align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)" \
class="">The<span class=""> </span></span>JAAS<span \
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:norm \
al;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text- \
align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)" \
class=""><span class=""> </span>(Java Authentication and Authorization Service) \
is a desktop authentication mechanism in Java that has been commonly misappropriated \
as a server-side technology. A variety of "login module" plugins exist for different \
password-based technologies. Support is provided for using JAAS as a back-end for \
the<span class=""> </span></span>password authentication<span \
style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:norm \
al;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text- \
align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)" \
class=""><span class=""> </span>login flow.</span>"<br \
class=""></div></div></div><div class="gmail_extra"><br class=""><div \
class="gmail_quote">On Sat, Apr 30, 2016 at 12:49 AM, Nate Klingenstein <span \
dir="ltr" class=""><<a href="mailto:ndk@sudonym.me" target="_blank" \
class="">ndk@sudonym.me</a>></span> wrote:<br class=""><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Joel,<br class=""> <br class="">
I think it would be easiest to accomplish this entire in JAAS. It has the \
sufficiency and fallback capabilities that you're looking for largely built-in. \
Only if you want or need to interact further with the user would I try to do anything \
in the IdP itself.<br class=""> <br class="">
Taking the late train,<br class="">
Nate.<br class="">
<div class="HOEnZb"><div class="h5"><br class="">
> On Apr 29, 2016, at 18:05, Joel Levin <<a \
href="mailto:joel.aaron.levin@gmail.com" class="">joel.aaron.levin@gmail.com</a>> \
wrote:<br class=""> ><br class="">
> Hi List:<br class="">
><br class="">
> Is it possible to configure authentication such that -- if JAAS \
authenticationfails - authentication is via LDAP?<br class=""> ><br class="">
> Rationale: As accounts are create first in the DB versus LDAP - we wish to \
authenticate against the DB - but if DB is down - there can be fail-over to \
LDAP.<br class=""> ><br class="">
> Thanks<br class="">
</div></div><span class="HOEnZb"><font color="#888888" class="">> --<br class="">
> To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" \
class="">users-unsubscribe@shibboleth.net</a><br class=""> <br class="">
--<br class="">
To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" \
class="">users-unsubscribe@shibboleth.net</a></font></span></blockquote></div><br \
class=""></div>
-- <br class="">To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" \
class="">users-unsubscribe@shibboleth.net</a></div></blockquote></div><br \
class=""></div></body></html>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic