Shib interop with .NET app-level SAML components?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Shib interop with .NET app-level SAML components?

RL 'Bob' Morgan

Here's a message we got from a small vendor someone on our campus is
working with on a web app, in a discussion about using Shib for websso,
or classic LDAP authn.  This is an IIS/.NET app.

> We have integrated with Shibboleth in the past with other clients, but
> it has always been in a customer hosted environment.  The reason we
> opted for the LDAP route, was because we were under the assumption that
> something had to be installed on the web server for it to work.  Since
> the site is hosted by us, on a production machine that hosts other
> customers, we cannot install anything on there since it could possibly
> cause an issue to the other sites.

One approach might be to offer them assurance that the Shib IIS filter
won't cause a problem, they should just use it.  Given the stuff that
people tend to throw in to IIS servers, and the potential bad interactions
among that stuff, I think their worry is probably realistic and it's hard
for us to guarantee anything.  So I didn't push on that, but offered the
suggestions below.

I'm curious if others have had to answer this question and how you've done
so.  Has anyone tried to make the componentspace.com SAML components or
OIOSAML.NET interop with Shib?

Thanks,

  - RL "Bob"

---

Some sites have also had your concern about the potential problems of
adding another filter in a shared environment.  One approach there is to
use Shib and its filter on a different host (virtual or real) in your
environment, have the user authenticate there, then send them along to
your app with some local method of passing the user name (an encrypted URL
param or cookie for example) from one host to the other.  If you're able
to support another host for this purpose I think that would be the easiest
approach and the most likely one for us to be able to help you with.

As for app-level components, here are a couple:

  http://www.componentspace.com/

We would recommend the SAML 2.0 version.  It costs some money for
production use.

   OIOSAML.NET
   http://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring/oiosam
l.net/?searchterm=oiosaml.net

A European open-source project.

Reply | Threaded
Open this post in threaded view
|

Re: Shib interop with .NET app-level SAML components?

RL 'Bob' Morgan

I guess that would be a "no" ... 8^(

  - RL "Bob"

On Wed, 17 Jun 2009, RL 'Bob' Morgan wrote:

>
> Here's a message we got from a small vendor someone on our campus is working
> with on a web app, in a discussion about using Shib for websso, or classic
> LDAP authn.  This is an IIS/.NET app.
>
>> We have integrated with Shibboleth in the past with other clients, but it
>> has always been in a customer hosted environment.  The reason we opted for
>> the LDAP route, was because we were under the assumption that something had
>> to be installed on the web server for it to work.  Since the site is hosted
>> by us, on a production machine that hosts other customers, we cannot
>> install anything on there since it could possibly cause an issue to the
>> other sites.
>
> One approach might be to offer them assurance that the Shib IIS filter won't
> cause a problem, they should just use it.  Given the stuff that people tend
> to throw in to IIS servers, and the potential bad interactions among that
> stuff, I think their worry is probably realistic and it's hard for us to
> guarantee anything.  So I didn't push on that, but offered the suggestions
> below.
>
> I'm curious if others have had to answer this question and how you've done
> so.  Has anyone tried to make the componentspace.com SAML components or
> OIOSAML.NET interop with Shib?
>
> Thanks,
>
> - RL "Bob"
>
> ---
>
> Some sites have also had your concern about the potential problems of adding
> another filter in a shared environment.  One approach there is to use Shib
> and its filter on a different host (virtual or real) in your environment,
> have the user authenticate there, then send them along to your app with some
> local method of passing the user name (an encrypted URL param or cookie for
> example) from one host to the other.  If you're able to support another host
> for this purpose I think that would be the easiest approach and the most
> likely one for us to be able to help you with.
>
> As for app-level components, here are a couple:
>
> http://www.componentspace.com/
>
> We would recommend the SAML 2.0 version.  It costs some money for production
> use.
>
>  OIOSAML.NET
>  http://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring/oiosam
> l.net/?searchterm=oiosaml.net
>
> A European open-source project.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Shib interop with .NET app-level SAML components?

Paul Hethmon
On 6/19/09 12:04 AM, "RL 'Bob' Morgan" <[hidden email]> wrote:

>> I'm curious if others have had to answer this question and how you've done
>> so.  Has anyone tried to make the componentspace.com SAML components or
>> OIOSAML.NET interop with Shib?

I haven't tried it myself, but I've got a couple of partners using the
ComponentSpace library successfully against my Shib IdP.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

God does not play dice with the universe; He plays an ineffable game of his
own devising, which might be compared, from the perspective of any of the
other players, to being involved in an obscure and complex version of poker
in a pitch dark room, with blank cards, for infinite stakes, with a dealer
who won't tell you the rules, and who smiles all the time.

 -- Terry Pratchett, Good Omens