Shibboleth Developers

["Scott Cantor" <>]

> We recently came up with a potential solution, and we wanted to get some 
> feedback as to whether or not it will be feasible.  The idea is to 
> configure our Tru64 SP to use a remote shibd running on a linux host. 
> mod_shib on the Tru64 host would be connected to the remote shibd using 
> stunnel.
> 
> Does this sound like it could work?  Are there other potential solutions?

There isn't any hard data about the viability. It's technically possible,
but Apache and shibd are very chatty, Apache ends up making two calls to
shibd to fetch the session entry for every request, instead of just one.

I would be inclined to say that if you can't secure it by virtue of just
controlling the network between them, encrypting it may swamp you. The
network alone could do it, though.

I had one customer looking at working around the lack of good cluster
support by doing this short term, but they haven't gotten back to me about
doing it yet.

My best guess is that 2.0 will support this better than 1.3 does, but then
2.0 won't require the RPC library, so the problem may be moot.

-- Scott