shibboleth-dev - Re: Strawman AuthnRequest profile #2 (ignore previous)
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To: Scott Cantor <>
- Cc: "'Shibboleth Developers'" <>
- Subject: Re: Strawman AuthnRequest profile #2 (ignore previous)
- Date: Mon, 27 Dec 2004 22:35:37 -0800 (PST)
One could also process enough of the request in the Web-ISO portion
of the HS's web server to figure out what kind of authn is desired.
It could then take whatever action is needed prior to passing the
request to the HS, with the remote user - just like now. For Apache
at least, one could easily imagine a 'mod_shib_origin', that does this
part and provides a easy-to-use interface to an arbitrary ISO module -
pubcookie, for example.
One could also imagine implementing the entire HS in an Apache module,
but that might be less efficacious.
Jim
On Mon, 27 Dec 2004, Scott Cantor wrote:
Authentication...
The ForceAuthn/IsPassive/AuthnContext stuff requires digesting the request
before invoking authentication. That makes the "use a typical Web-ISO"
approach impossible unless you leave the SSO endpoint naked. Then I guess
you process the message into a short key, drop a cookie/whatever, and bounce
the browser over to the protected SAML issuing endpoint with some kind of
way to customize the redirect so as to relay the requirements in a
proprietary fashion for the authentication mechanism. I suppose thinking
about it, this is arguably better in terms of how we might eventually embed
authn modules in the software anyway, more modular.
- Strawman AuthnRequest profile #2 (ignore previous), Scott Cantor, 12/27/2004
- Re: Strawman AuthnRequest profile #2 (ignore previous), Jim Fox, 12/28/2004
Archive powered by MHonArc 2.6.16.