On 7/15/2015 11:44 AM, fp IDMWORKS wrote: > > In the setup_guide, it indicates that OSP must be used for CA, HPD, > Reporting, SSPR and UA. > > Does this mean that we must use it? Or can we choose to use another SSO? > Currently I can't login to my dev environment as there is an error > indicating that authentication isn't setup.
When it was just User App, then SSO was built into UA. (SAP Logon tickets, Kerb, and headers for SSO from some other SSO solution).
With the additional 'modules' (Landing, dash, CA, Reporting, etc) they needed to do SSO within the different modules of the now named "Identity applications".
So OSP was taken from the xAccess products (Cloud Access, Mobile Access, Social Access) to be the internal SSO method, since it can do Kerb, User/password, and SAML for initial login, and then OAuth for backend services. (OSP is almost like a stripped down NAM, meant for a single box model, instead of all the components of NAM)
You can SSO your SAML stack to OSP, which then federates you to identity apps, which in UA, then federates you to eDir via the eDir NMAS SAML method (Since no password came through the SSO from outside, but need to bind to eDir os your Form's actions happen as 'you'.)
Is that enough federation for you? :)
I have been writing some articles about this stuff, in trying to get Shibboleth working with OSP via SAML. It does work. (Two bugs found, one fixed, one still outstanding but easy to work around (as of 4.5.1)).