Shibboleth SP on different domain than application
Cantor, Scott
cantor.2 at osu.edu
Tue May 20 07:37:01 EDT 2014
On 5/20/14, 11:11 AM, "Nils Andersson" <nils.andersson82 at gmail.com> wrote:
>I'm looking on using Shibboleth as an SAML SP. Shibboleth would reside in
>one domain and the application in another. Shibboleth and the application
>will communicate over the internet. A goal in this is that the
>integration should be as easy as
> possible for the application.
>
>Any ideas on how to secure the communication between Shibboleth and the
>application?
Yes, you deploy a SSO protocol between them. That's the only way. They do
not communicate over the Internet alone. You cannot achieve this without
involving the client or you will not have a secure system, because that's
what SSO is, linking sessions between domains.
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPOneMany
Basically, you are attempting to avoid installing the SP with the
application, but that is the entire basis of the SP's design. If you don't
like that design, you want a different solution that comes bundled with
its own SSO protocol behind the facade of the SAML layer (e.g., ADFS does
this with WS-Federation).
-- Scott
More information about the users
mailing list