By tkudo on Apr 01, 2008
I have very little knowledge on both Shibboleth specification and implementation however, It seems easy to integrate Sun Java System Access Manager / OpenSSO with it to centralize user authentication into single access management infrastructure and provide some other strong authentication methods such as client certificate, finger vein etc.
The integration point is REMOTE_USER variable between the Shibboleth IdP and Application Server with Policy Agent, just like what Paul did for Sun Secure Global Desktop / Access Manager integration.
Sets the principal name in the IdP to REMOTE_USER as determined by the web server or container's authentication, similar to Shibboleth 1.3.
IdPUserAuthn - Shibboleth 2 Documentation - Internet2 Wiki
The user ID value is used by the agent to set the value of the REMOTE_USER server variable.
Setting the REMOTE_USER Server Variable (Sun Java System Access Manager Policy Agent 2.2 Guide for Apache HTTP Server 2.2)
The key step here (doco) in order to get it working is to modify the Tomcat server.xml to look like the following, this ensures that Apache forwards the value of REMOTE_USER to the Tomcat engine: [...]
Sun Grenoble Engineering Identity/Desktop Event : I'll Get My Coat
Here's a simple diagram. Let me know if I missed something.