...
MIT Touchstone is actually a suite of technologies, including Stanford's WebAuth, Internet 2's Shibboleth, SAML (the Security Assertion Markup Language), and a new account management system for some users outside of the traditional MIT community. The system also relies upon system uses HTTP redirection extensively, and uses other standard web technologies such as SSL.
The primary login server is using Stanford's WebAuth package for initial authentication. The login server will initially support three authentication mechanisms -- MIT X.509 certificates, Kerberos (via the HTTP/SPNEGO protocol), and MIT usernames and passwords over TLS. The WebAuth server is bound to a Shibboleth Identity Provider (IdP). The IdP is then treated as a trusted third party by the web application servers; it makes signed assertions to these applications servers, communicating information about the authenticated users to each web server. From an architectural perspective, this is very similar to the model used by Kerberized applications on campus today, although different protocols are used.
Each web application server that wishes to use Touchstone will have to run the Shibboleth Service Provider (SP) component as well. This required software is available for Apache and IIS web servers; in the future we may also support web servers that use Tomcat without Apache, but that option will not be available initially.
...
At its simplest, Touchstone will set one or more environment variables on your Apache or IIS server, including REMOTE_USER. Your application can then use these results. A demonstration application is available which shows the environment variables that do get set, this can be viewed at https://mv-ezproxy-com.ezproxyberklee.flo.org/shib-testenv. Of course, your web server will have to have Shibboleth installed, and the MIT IdP will need to be made aware of your application. To secure the communication between your web application and the MIT IdP you will also need an MIT certificate for your server.
...