shibboleth-dev - RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
Subject: Shibboleth Developers
List archive
- From: Peter Williams <>
- To: "" <>
- Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
- Date: Wed, 2 Jul 2008 08:06:13 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
In professional windows server data centers, microsoft recommend that the
apps hosted on microsoft backoffice platforms nay convert the saml
session/token into a windowstoken that can be presented to the nt
(distributed) refernce monitor.
Though it would be hard to evaluate for trustworthiness, an apache app
running on windows server could act as its own trusted subsystem, and use the
windows api that enables a windows token to impersonate the shib token. The
kerberos support on windows may be exploited, so the windowstoken can be
consumed by distributed reference monitors (when suitable activedirectory
forest trust models authorize such reliance).
Obviously, have mostly left shibland at this point, and entered windowsland.
I would not counsel doing any of this on windows earlier than vista.
-----Original Message-----
From: Scott Cantor
<>
Sent: Wednesday, July 02, 2008 7:46 AM
To:
<>
Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
> Shib sessions can be initiated on a standalone server (in the dmz, say) by
> the application website redirectin to the appropriate invocation url. The
> protocol run lands back at the target url, or a shib error handler.
And that would be SSO. That's what SAML does. And CAS. And pubcookie. And a
million other protocols.
If you want to, you can gateway between SAML and some other protocol that
has an implementation you're happier to run on your web server. In return,
you lose various end to end protocol behaviors, typically can't support
certain features, and you have to run two protocols and introduce a second
server and an additional point of failure. It's just a trade-off. It may be
a good one or a bad one.
> This tends to require some trust concept, such as trusted subsystem
designs.
Designing a *new* protocol for this is not something most people should
consider. Pick one you like that's already been evaluated, don't invent your
own. That's a good way to get hacked.
-- Scott
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Gareth Palfrey, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- <Possible follow-up(s)>
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
Archive powered by MHonArc 2.6.16.