I’ve been tasked with trying to setup SSO in our intranet. I haven’t implemented SSO before, and have limited exposure to LDAP as I primarily used AD in the past…and in our environment, none of our PCs(windows machines) are in a domain of any kind. All remote PC’s, everything is in workgroups. We have over 2,000 users…No centralized auth at the user level or PC/server level
In comes the mention of univention. CIO does not want to add PCs to the domain, he is very against and doesn’t want to do it.
Here’s what he wants to happen:
The user logs in to our intranet site www.example.com and it authenticate to the univention IDP/LDAP so that they are already signed into owncloud, etc. Once this part is working they want to expand it to outside vendors…but that’s another topic.
Sorry, I know these are basic questions but I have to ask them so I have to proper information to give, as I’m battling this SSO implementation whether or not to join the PCs to the domain, etc.
In order for this to work, do pcs/users need to be logged into the domain?
What would you do in my situation?
Also…when messing around with the SAML, when trying to download the public certificate, I get this error:
You don’t have permission to access /simplesamlphp/saml2/idp/certificate on this server.
I believe I’ve found the certs regardless of the above error in: /etc/univention/ssl - but It obviously doesn’t match the above path.
The other issue I’m having is I’m unable to get LDAPadmin to connect. The connection test works with anon, you are able to fetch the DNs, which it does properly…but putting in the administrator login credentials, it gives a Invalid DN syntax, invalid DN.
Using anon connection it pulls the correct dc’s.
Perhaps I have the wrong connection string using the default administrator account to connect. I’m missing something here.
Again, I apologize for the slew of questions here - I’ve just been thrown into a very large lake and a very small boat.