[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Shibboleth SP on different domain than application
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2014-05-20 11:37:01
Message-ID: CFA0FC55.D270%cantor.2 () osu ! edu
[Download RAW message or body]

On 5/20/14, 11:11 AM, "Nils Andersson" <nils.andersson82@gmail.com> wrote:

>I'm looking on using Shibboleth as an SAML SP. Shibboleth would reside in
>one domain and the application in another. Shibboleth and the application
>will communicate over the internet. A goal in this is that the
>integration should be as easy as
> possible for the application.
>
>Any ideas on how to secure the communication between Shibboleth and the
>application?

Yes, you deploy a SSO protocol between them. That's the only way. They do
not communicate over the Internet alone. You cannot achieve this without
involving the client or you will not have a secure system, because that's
what SSO is, linking sessions between domains.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPOneMany

Basically, you are attempting to avoid installing the SP with the
application, but that is the entire basis of the SP's design. If you don't
like that design, you want a different solution that comes bundled with
its own SSO protocol behind the facade of the SAML layer (e.g., ADFS does
this with WS-Federation).

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]