Shibboleth Developers

[Peter Williams <>]

Shib sessions can be initiated on a standalone server (in the dmz, say) by 
the application website redirectin to the appropriate invocation url. The 
protocol run lands back at the target url, or a shib error handler.

The ap must now test for the shib session (and collect attributes).

This tends to require some trust concept, such as trusted subsystem designs.

-----Original Message-----
From: Gareth Palfrey 
<>
Sent: Wednesday, July 02, 2008 1:37 AM
To: 

 
<>
Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?


Scott,

Thank you for your reply!

I appreciate the scope of SAML is huge,  but do you have any experience
in emulating the ISAPI (Sorry on spelling!) filter with scripts
(ASP/VBScript)?

I'm currently lost without a starting point, so if you could suggest any
online resources where I might be able to work out or find examples,
I'd greately appreciate it!

Surely it can't be difficult to create a few sessions anyhow,  I just
need to know all the details of what those sessions will be.

Thanks again,

Gareth

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: 01 July 2008 16:02
To: 

Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?

> Our current Authentication system (ERights 2.7) uses an ASAPI filter
and
> therefore we are not keen on any Shibboleth implementation involving
another
> ASAPI filter.

It's ISAPI, not ASAPI.

> Therefore my question is..    Can we..

You can do anything you want. Just be prepared to spend a lot of time
doing
it. Personally, I would strongly suggest that you look for a SAML
implementation you can live with rather than inventing another.

-- Scott





DISCLAIMER:

This communication (including any attachments) is intended for the use of the 
addressee only and may contain confidential, privileged or copyright 
material. It may not be relied upon or disclosed to any other person without 
the consent of the RSC. If you have received it in error, please contact us 
immediately. Any advice given by the RSC has been carefully formulated but is 
necessarily based on the information available, and the RSC cannot be held 
responsible for accuracy or completeness. In this respect, the RSC owes no 
duty of care and shall not be liable for any resulting damage or loss. The 
RSC acknowledges that a disclaimer cannot restrict liability at law for 
personal injury or death arising through a finding of negligence. The RSC 
does not warrant that its emails or attachments are Virus-free: Please rely 
on your own screening.