shibboleth-dev - RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
- Date: Wed, 2 Jul 2008 10:46:32 -0400
- Organization: The Ohio State University
> Shib sessions can be initiated on a standalone server (in the dmz, say) by
> the application website redirectin to the appropriate invocation url. The
> protocol run lands back at the target url, or a shib error handler.
And that would be SSO. That's what SAML does. And CAS. And pubcookie. And a
million other protocols.
If you want to, you can gateway between SAML and some other protocol that
has an implementation you're happier to run on your web server. In return,
you lose various end to end protocol behaviors, typically can't support
certain features, and you have to run two protocols and introduce a second
server and an additional point of failure. It's just a trade-off. It may be
a good one or a bad one.
> This tends to require some trust concept, such as trusted subsystem
designs.
Designing a *new* protocol for this is not something most people should
consider. Pick one you like that's already been evaluated, don't invent your
own. That's a good way to get hacked.
-- Scott
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Gareth Palfrey, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- <Possible follow-up(s)>
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
Archive powered by MHonArc 2.6.16.