Shibboleth Developers

[Jim Fox <>]

One could also process enough of the request in the Web-ISO portion
of the HS's web server to figure out what kind of authn is desired.
It could then take whatever action is needed prior to passing the
request to the HS, with the remote user - just like now.  For Apache
at least, one could easily imagine a 'mod_shib_origin', that does this
part and provides a easy-to-use interface to an arbitrary ISO module -
pubcookie, for example.

One could also imagine implementing the entire HS in an Apache module,
but that might be less efficacious.

Jim

On Mon, 27 Dec 2004, Scott Cantor wrote:
> Authentication...
>
> The ForceAuthn/IsPassive/AuthnContext stuff requires digesting the request
> before invoking authentication. That makes the "use a typical Web-ISO"
> approach impossible unless you leave the SSO endpoint naked. Then I guess
> you process the message into a short key, drop a cookie/whatever, and bounce
> the browser over to the protected SAML issuing endpoint with some kind of
> way to customize the redirect so as to relay the requirements in a
> proprietary fashion for the authentication mechanism. I suppose thinking
> about it, this is arguably better in terms of how we might eventually embed
> authn modules in the software anyway, more modular.