Tuesday, July 10, 2012

Single Sign On (SSO) with Novell Client and Shibboleth

Server requirement:
  1. Novell eDirectory + LDAP.
  2. Kerberos Server.
  3. Shibboleth IDP with Kerberos Auth Plugin.

Client requirement:

  1. Kerberos Client.
  2. Novell Client.
  3. Mozilla Firefox. (Tested browser)

Tested Structure:

SSO Structure

How it’s work

  1. User logs in to the PC using a novell client.
  2. When user is authenticated, the kerberos client automatically login using the same username and password. Because Kerberos server and eDirectory use the same LDAP database, kerberos client should be authenticated and get the kerberos ticket.
  3. When user authenticate to the Shibboleth IDP, Firefox will send the kerberos ticket to the Shibboleth IDP. Shibboleth IDP will contact the kerberos server to check whether the ticket is valid or not. If valid, then Shibboleth IDP allows the user to access the service.

Main consideration

  1. With this infrastructure, the current LDAP database should be extended to accept Kerberos schema.
  2. Kerberos Server must be installed and uses LDAP as database.
  3. Each kerberos user principal should be mapped to the eDirectory user.
  4. The use of universal password would gain a benefit to maintain a single password entry.

No comments: