The following types of authentication are natively supported by the Shibboleth IdP:
- requires a service account
- supported natively in Java, supports AD
- There are a number of possibilities within the resolver to transform attributes via templates, scripts, and other transform capabilities.
- Globally unique names are needed
- URLs accomplish the above objective, are generally easy, and can be self-documenting
- URNs work as well and are the default in the IdP
Other Things You'll Need
- LDAP Service Account
- No special rights are generally required other than read-only. The Shibboleth IdP does not write to the LDAP store.
- SSL Certificate
- This will be used on the login page seen by users, so it should be trusted by their browsers (generally commercial certificates are used here)
Other Decisions to Consider
- Container operational environment
- Use of container "secrets"
- For this class, if you use secrets, that also requires a Swarm deployment
- docker-compose also supports secrets, but is not currently covered by this class
- HA deployment