Shibboleth Developers

[Peter Williams <>]

In professional windows server data centers, microsoft recommend that the 
apps hosted on microsoft backoffice platforms nay convert the saml 
session/token into a windowstoken that can be presented to the nt 
(distributed) refernce monitor.

Though it would be hard to evaluate for trustworthiness, an apache app 
running on windows server could act as its own trusted subsystem, and use the 
windows api that enables a windows token to impersonate the shib token. The 
kerberos support on windows may be exploited, so the windowstoken can be 
consumed by distributed reference monitors (when suitable activedirectory 
forest trust models authorize such reliance).

Obviously, have mostly left shibland at this point, and entered windowsland. 
I would not counsel doing any of this on windows earlier than vista.

-----Original Message-----
From: Scott Cantor 
<>
Sent: Wednesday, July 02, 2008 7:46 AM
To: 

 
<>
Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?


> Shib sessions can be initiated on a standalone server (in the dmz, say) by
> the application website redirectin to the appropriate invocation url. The
> protocol run lands back at the target url, or a shib error handler.

And that would be SSO. That's what SAML does. And CAS. And pubcookie. And a
million other protocols.

If you want to, you can gateway between SAML and some other protocol that
has an implementation you're happier to run on your web server. In return,
you lose various end to end protocol behaviors, typically can't support
certain features, and you have to run two protocols and introduce a second
server and an additional point of failure. It's just a trade-off. It may be
a good one or a bad one.

> This tends to require some trust concept, such as trusted subsystem
designs.

Designing a *new* protocol for this is not something most people should
consider. Pick one you like that's already been evaluated, don't invent your
own. That's a good way to get hacked.

-- Scott