Shibboleth Developers

[Shilen Patel <>]

Hello,

I'd like to add a feature.  In our environment, some backend servers 
(such as the Sun Directory Server) do not support GSSAPI and cannot do 
anything useful with a Kerberos ticket.  So for Service Providers that 
use these backend servers, we pass them a proxy token that's created 
from the Kerberos ticket.  The proxy token is the part of the ticket 
that's encrypted in the backend server's key and contains the meaningful 
ticket data with the lifetime information, ip addresses, flags, etc.  So 
we would like the IdP to also allow passing this part of the ticket that 
we use as a proxy token.

Thanks,

-- Shilen


RL 'Bob' Morgan wrote:
> I put up a drafty project page at:
>
> https://spaces.internet2.edu/display/SHIB/Kerberos+Tickets+for+Middle+Tiers 
>
>
> including a features list, most of which are those posted by Russ 
> Allbery in a note a few months ago (thanks Russ).
>
> Feel free to add/elaborate on features/requirements, or propose a 
> design. I mentioned a couple of issues on the design page (eg Shib 2.x 
> only?).
>
>  - RL "Bob"
>
> On Tue, 3 Jul 2007, Shilen Patel wrote:
>
> > Hi Bob,
> >
> > We spoke last week regarding Shibboleth passing Kerberos tickets as 
> > attributes.  You also mentioned that you have some initial 
> > requirements gathered.  It would be very helpful for us to see what 
> > you have already come up with, so we would appreciate any information 
> > you can provide.
> >
> > Also, do any of the Shibboleth developers have any thoughts or 
> > recommendations on how this feature should be implemented?
> >
> > Thanks,
> >
> > -- Shilen