shibboleth-dev - RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
- Date: Wed, 2 Jul 2008 11:26:24 -0400
- Organization: The Ohio State University
> Though it would be hard to evaluate for trustworthiness, an apache app
> running on windows server could act as its own trusted subsystem, and use
> the windows api that enables a windows token to impersonate the shib
token.
Of course it can. That's because Kerberos is (wait for it) a SSO protocol.
It's quite possible (I'd even say likely) that the people trying to "do
Shibboleth" themselves would be much better off with an approach like this
(though not necessarily with Kerberos) and just deploying a protocol stack
they're happier with on their application servers and running Shibboleth as
a gateway to them. That may well solve their problem, whatever it is.
I'm just suggesting they pick a protocol that exists, not invent one.
The SP's configuration model is also such that it's even possible to expose
all of the applications behind the gateway as unique services and achieve
something approaching an end to end policy model for IdPs to consume.
-- Scott
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Gareth Palfrey, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- <Possible follow-up(s)>
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Scott Cantor, 07/02/2008
- RE: [Shib-Dev] Shibboleth on IIS without ASAPI?, Peter Williams, 07/02/2008
Archive powered by MHonArc 2.6.16.