Shibboleth Developers

[Shilen Patel <>]

The applications that receive the proxy token treat the proxy token just 
like a password.  The applications just pass it to the backend servers, 
which have a PAM module to support it.  Does that answer your question?

Thanks,

-- Shilen


Scott Cantor wrote:
> > I'd like to add a feature.  In our environment, some backend servers
> > (such as the Sun Directory Server) do not support GSSAPI and cannot do
> > anything useful with a Kerberos ticket.
> >     
>
> I don't think this discussion is about services that aren't Kerberized, that
> seems kind of beside the point. If they don't do Kerberos, what would they
> support that isn't password or X.509?
>
>   
> > So for Service Providers that
> > use these backend servers, we pass them a proxy token that's created
> > from the Kerberos ticket.  The proxy token is the part of the ticket
> > that's encrypted in the backend server's key and contains the meaningful
> > ticket data with the lifetime information, ip addresses, flags, etc.  So
> > we would like the IdP to also allow passing this part of the ticket that
> > we use as a proxy token.
> >     
>
> What do you do with it?
>  
> -- Scott
>
>
>