Page 210 - Building Digital Libraries
P. 210

Access Management


                 but those who are in Active Directory will only have to log in once rather
                 than retype their credentials each time they access a new service, as they
                 would had the repository queried Active Directory using LDAP to authen-
                 ticate users.
                     If your organization offers SSO that is supported by your repository,
                 SSO offers a better user experience and better security than the alternatives,
                 so it is normally the preferred access mechanism.
                     SSO provides the following benefits:

                         •	 Users can log in with credentials they use for other services,
                           and once they’ve logged into an SSO service, they won’t be
                           asked to log in again when they access another SSO service.
                         •	 Users can access multiple systems (including LDAP), allow-
                           ing more flexibility in the authentication process.
                         •	 Sensitive information such as user passwords is not stored
                           in the repository system and is therefore not a security bur-
                           den for the repository itself.


                 Central Authentication Service (CAS)

                 CAS is an open source protocol for SSO authentication that validates users
                 against a database such as LDAP. CAS centralizes authentication and is
                 appropriate if you want to ask all users to log into a single service. CAS
                 is easier to implement than Shibboleth, though it has less functionality
                 because it cannot express user attributes as richly, nor does it have feder-
                 ated capabilities. However, it is a good option when available if it meets the
                 needs at hand.



                 Security Assertion Markup Language (SAML)

                 SAML is similar to CAS in that it is also an open source protocol developed
                 for SSO that can authenticate using a number of forms of authentication,
                 including LDAP. The important difference between SAML and CAS is that
                 SAML has federated authentication and better authorization capabilities.
                 SAML is most commonly used with Shibboleth. If you are using SAML
                 only for authentication, it may be easier to implement CAS if you have a
                 choice in the matter.



                 Shibboleth

                 Shibboleth is similar to CAS in that both are open source technologies
                 that can be used to implement SSO. However, it is different from CAS in
                 multiple respects:

                         •	 Shibboleth is a service that relies on the SAML protocol
                           while CAS is a protocol.

                                                                                                                     195
   205   206   207   208   209   210   211   212   213   214   215