Shibboleth Developers

[Peter Williams <>]

Getting off topic rapidly, the mit crowd were very frustrated in the mid 
1990s. Not only had many rejected the notion that a us based (mit operated) 
root ca would control who would participate in cert issuing for strong 
crypto-capable internet apps, the general web was also struggling to accept 
being kerberized. In particular the kerberos ciphersuites in ssl were 
supposed to bring to systems of ssl tunnels all the sso benefits of kerberos 
v5 (and allow the collection of tunnels to act as a vpn, being controlled by 
the single policy attached to the kdc).

-----Original Message-----
From: Scott Cantor 
<>
Sent: Wednesday, July 02, 2008 8:26 AM
To: 

 
<>
Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?


> Though it would be hard to evaluate for trustworthiness, an apache app
> running on windows server could act as its own trusted subsystem, and use
> the windows api that enables a windows token to impersonate the shib
token.

Of course it can. That's because Kerberos is (wait for it) a SSO protocol.

It's quite possible (I'd even say likely) that the people trying to "do
Shibboleth" themselves would be much better off with an approach like this
(though not necessarily with Kerberos) and just deploying a protocol stack
they're happier with on their application servers and running Shibboleth as
a gateway to them. That may well solve their problem, whatever it is.

I'm just suggesting they pick a protocol that exists, not invent one.

The SP's configuration model is also such that it's even possible to expose
all of the applications behind the gateway as unique services and achieve
something approaching an end to end policy model for IdPs to consume.

-- Scott