Shibboleth Developers

[Scott Cantor <>]

I'm working on divorcing my HS from my web-iso here with some partial
success. It's really poorly documented, but I've managed to get Tomcat to do
user logins against Kerberos using basic-auth and pass that into the HS
servlet. This is done with configuration commands in server.xml and web.xml
using the JAAS Realm support in Tomcat and the JDK 1.4 Kerberos PAM module.

It only works if you go direct against Tomcat (no Apache), which seems not
too bad anyway, not much use for Apache in that scenario except for the AA
part.

I don't have form-based logins yet, but that's pretty easy. Also no SSL yet,
but that should be manageable, esp. since I can import my Verisign key with
extkeytool. ;-)

Only hitch so far, apart from figuring out how to bypass the role-authz in
web.xml (use a role of *) is that the Kerberos module passes back the
principal name as 
user@realm,
 and that's not what the HS is currently
expecting. If I can't chop the realm out somehow, I'd have to make the HS do
that for me.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--