Skip to Content.
Sympa Menu

devel - Re: [sympa-dev] sunone access manager

Subject: Developers of Sympa

List archive

Re: [sympa-dev] sunone access manager

Chronological Thread  
    < Chronological >       < Thread >
  • From: Olivier Salaun - CRU <address@concealed>
  • To: address@concealed
  • Cc: address@concealed
  • Subject: Re: [sympa-dev] sunone access manager
  • Date: Tue, 29 Jun 2004 11:11:03 +0200
Hi Keith,

As you probably know we have already been working on the CAS and Shibboleth integration (Cf the Sympa and AA article) and we're very pleased that you plan to make it interoperate with SunOne. Let we explain you what has been done and what is still to be done :

The work that has been done for CAS (Yale university SSO) is very specific because it uses a CAS library. We've written this library (because the one from Yale was buggy and limited) and we've donated it to the Esup Portail project . We've also implemented the proxied credential authentication, via the Sympa SOAP server.

The work that has been done for Shibboleth is more generic, mainly for 2 reasons :
  1. Sympa delegates the Shibb client job to the web server (the shib-rm Apache module should be installed)
  2. Sympa assumes that it will get user attributes from Shibb, including the user email address (whereas CAS does not spread user attributes and obliges Sympa to query an LDAP directory to get the user email address)
Hopefully the work that was done to integrate Shibboleth is generic enough (the associated config parameter was named 'generic_sso') and should make Sympa work ASIS with the Sun single Sign-On system. Here are the conditions for them to work together :
  1. The authentication libraries should be integrated in the web server that runs Sympa's web interface (typically an Apache module)
  2. This Apache module should be able to protect a single URL. As an example, the Apache config with Shibb will look like this :
  • <Location /wws/sso_login/inqueue>
  AuthType shibboleth
  require affiliation ~ ^member@.+
</Location>
User attributes should be inherited by Sympa through environment variables User attributes should include the user email address If all these conditions are satisfied, then you should be able to run Sympa with SunOne right now. Otherwise we need further information about the SunOne design and implementation so we can work together on the design for the new feature.

address@concealed wrote: 
has anyone thought about making sympa sun java access manager (formerly identity server) aware?  We like the product and are willing to do the work.
  

-- 
Olivier Salaün
Comité Réseau des Universités
-------------------------------------------
Validation signature / Trusting  signature: --> http://igc.cru.fr/trust.html
-------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


  • Re: [sympa-dev] sunone access manager, Olivier Salaun - CRU, 06/29/2004

Archive powered by MHonArc 2.6.19+.

Top of Page