Skip to Content.
Sympa Menu

shibboleth-dev - Re: Strawman AuthnRequest profile #2 (ignore previous)

Subject: Shibboleth Developers

List archive

Re: Strawman AuthnRequest profile #2 (ignore previous)


Chronological Thread 
  • From: Jim Fox <>
  • To: Scott Cantor <>
  • Cc: "'Shibboleth Developers'" <>
  • Subject: Re: Strawman AuthnRequest profile #2 (ignore previous)
  • Date: Mon, 27 Dec 2004 22:35:37 -0800 (PST)


One could also process enough of the request in the Web-ISO portion
of the HS's web server to figure out what kind of authn is desired.
It could then take whatever action is needed prior to passing the
request to the HS, with the remote user - just like now. For Apache
at least, one could easily imagine a 'mod_shib_origin', that does this
part and provides a easy-to-use interface to an arbitrary ISO module -
pubcookie, for example.

One could also imagine implementing the entire HS in an Apache module,
but that might be less efficacious.

Jim

On Mon, 27 Dec 2004, Scott Cantor wrote:

Authentication...

The ForceAuthn/IsPassive/AuthnContext stuff requires digesting the request
before invoking authentication. That makes the "use a typical Web-ISO"
approach impossible unless you leave the SSO endpoint naked. Then I guess
you process the message into a short key, drop a cookie/whatever, and bounce
the browser over to the protected SAML issuing endpoint with some kind of
way to customize the redirect so as to relay the requirements in a
proprietary fashion for the authentication mechanism. I suppose thinking
about it, this is arguably better in terms of how we might eventually embed
authn modules in the software anyway, more modular.




Archive powered by MHonArc 2.6.16.

Top of Page