How to perform Conditional Authentication from LDAP and SQL based on SP name or any value?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to perform Conditional Authentication from LDAP and SQL based on SP name or any value?

dalipcse91
Hi Team,

I have two user storage, one is SQL server and other one is LDAP. I have
configured both in JAAS.config file. User getting authenticated
successfully.
My problem is that "Authentication flow checks user in both storage
sequentially with Sufficient flag.
Is there any way to tell shibboleth to use sql or ldap for authentication
based on entered user email's domain name ? I mean to say "if user email's
domain is "samsung.com" then authenticate this user from ldap else from sql
"?

My JAAS.config :
ShibUserPassAuth {

              /*
        com.sun.security.auth.module.Krb5LoginModule required;
        */
 
         
                        com.tagish.auth.DBLogin sufficient  debug=true
            dbDriver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
           
dbURL="jdbc:sqlserver://IND107\\IND107;user=sa;password=Welcome1234;database=IDP"
            userTable="Users"
            userColumn="UserName"
                        passColumn="Password";
       
                       
          org.ldaptive.jaas.LdapLoginModule sufficient
      ldapUrl="ldap://mp2052r2-roja2.sotiindia.edu:389"
      baseDn="dc=meatoffice,dc=edu"
      bindDn="CN=Administrator,CN=Users,DC=meatoffice,DC=edu"
      bindCredential="Welcome1234"
      subtreeSearch= "true"
      userFilter="userPrincipalName={user}";
                       
 
                       
};

Looking for valuable response.




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to perform Conditional Authentication from LDAP and SQL based on SP name or any value?

Peter Schober
* dalipcse91 <[hidden email]> [2018-05-15 16:31]:
> Is there any way to tell shibboleth to use sql or ldap for
> authentication based on entered user email's domain name ?

Probably not (easily) when using JAAS.

Personally I'd try to work around my Identity Management mess so that
I can provide a unified interface to all serices, not just the
Shibboleth IDP.

Also expecting people to understand that they'd have to use credential
set A when accessing services of type X, Y or Z, but credential set B
when accessing services 1, 2 or 3 seems highly confusing and prone to
errors.
Add SSO on top of that that this becomes fully futile, IMO.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to perform Conditional Authentication from LDAP and SQL based on SP name or any value?

Cantor, Scott E.
In reply to this post by dalipcse91
> Is there any way to tell shibboleth to use sql or ldap for authentication based
> on entered user email's domain name ? I mean to say "if user email's domain is
> "samsung.com" then authenticate this user from ldap else from sql "?

The JAAS support can specify individual JAAS application configs to use with activation conditions attached to them to control when they get used. Should be documented at least in formal reference terms as to what the beans are.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]