Shibboleth Developers

[Chad La Joie <>]

I think we want to avoid such one-off/non-standard solutions.  That
said, there is no reason that once the IdP had sent the ticket the app
protected by the SP couldn't strip that information off.

Shilen Patel wrote:
> Hello,
> 
> I'd like to add a feature.  In our environment, some backend servers
> (such as the Sun Directory Server) do not support GSSAPI and cannot do
> anything useful with a Kerberos ticket.  So for Service Providers that
> use these backend servers, we pass them a proxy token that's created
> from the Kerberos ticket.  The proxy token is the part of the ticket
> that's encrypted in the backend server's key and contains the meaningful
> ticket data with the lifetime information, ip addresses, flags, etc.  So
> we would like the IdP to also allow passing this part of the ticket that
> we use as a proxy token.
> 
> Thanks,
> 
> -- Shilen
> 
> 
> RL 'Bob' Morgan wrote:
>>
>> I put up a drafty project page at:
>>
>> https://spaces.internet2.edu/display/SHIB/Kerberos+Tickets+for+Middle+Tiers
>>
>>
>> including a features list, most of which are those posted by Russ
>> Allbery in a note a few months ago (thanks Russ).
>>
>> Feel free to add/elaborate on features/requirements, or propose a
>> design. I mentioned a couple of issues on the design page (eg Shib 2.x
>> only?).
>>
>>  - RL "Bob"
>>
>> On Tue, 3 Jul 2007, Shilen Patel wrote:
>>
>>> Hi Bob,
>>>
>>> We spoke last week regarding Shibboleth passing Kerberos tickets as
>>> attributes.  You also mentioned that you have some initial
>>> requirements gathered.  It would be very helpful for us to see what
>>> you have already come up with, so we would appreciate any information
>>> you can provide.
>>>
>>> Also, do any of the Shibboleth developers have any thoughts or
>>> recommendations on how this feature should be implemented?
>>>
>>> Thanks,
>>>
>>> -- Shilen
>>>
>>>

-- 
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124