Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] Shibboleth on IIS without ASAPI?

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] Shibboleth on IIS without ASAPI?


Chronological Thread 
  • From: Peter Williams <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?
  • Date: Wed, 2 Jul 2008 08:36:39 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

Getting off topic rapidly, the mit crowd were very frustrated in the mid
1990s. Not only had many rejected the notion that a us based (mit operated)
root ca would control who would participate in cert issuing for strong
crypto-capable internet apps, the general web was also struggling to accept
being kerberized. In particular the kerberos ciphersuites in ssl were
supposed to bring to systems of ssl tunnels all the sso benefits of kerberos
v5 (and allow the collection of tunnels to act as a vpn, being controlled by
the single policy attached to the kdc).

-----Original Message-----
From: Scott Cantor
<>
Sent: Wednesday, July 02, 2008 8:26 AM
To:


<>
Subject: RE: [Shib-Dev] Shibboleth on IIS without ASAPI?


> Though it would be hard to evaluate for trustworthiness, an apache app
> running on windows server could act as its own trusted subsystem, and use
> the windows api that enables a windows token to impersonate the shib
token.

Of course it can. That's because Kerberos is (wait for it) a SSO protocol.

It's quite possible (I'd even say likely) that the people trying to "do
Shibboleth" themselves would be much better off with an approach like this
(though not necessarily with Kerberos) and just deploying a protocol stack
they're happier with on their application servers and running Shibboleth as
a gateway to them. That may well solve their problem, whatever it is.

I'm just suggesting they pick a protocol that exists, not invent one.

The SP's configuration model is also such that it's even possible to expose
all of the applications behind the gateway as unique services and achieve
something approaching an end to end policy model for IdPs to consume.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page