OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

> > > More importantly, SAML 1.1 does not support SP-first profiles.  Is
> > > there some reason why you can't just use Shibboleth (which defines an
> > > AuthnRequest profile)?  That sure would make your like easier. :-)
> >
> > My understanding is that we would not need SP-first profiles and
> > AuthnRequest.
> 
> The scenario you outlined previously requires an SP-first profile.  If
> you start at the SP, it's called SP-first.
> 
> > Our opening page itself redirects user to the authenticating
> > web-server URL - so I guess we would not send any AuthnRequest.
> 
> Okay, maybe I'm misunderstanding you.  Is the opening page at the SP or
> the IdP?

Sorry for the confusion - opening page has a frameset and self-service frame
that is returned from the SP but the login screen is returned from the IdP.
So the user's login request gets submitted to the IdP which then
authenticates and sends the result to the SP. So my understanding is that I
only need to accept the assertion and process it at the SP i.e. I hopefully
do not need to send out an auth request.

> 
> 
> > But I am open to using Shibboleth if that makes my job easier. My only
> > requirement is to use SAML and as Shibboleth seems to be built on SAML,
> that
> > is okay.
> 
> Then you need to switch over to 
> shibboleth-users@internet2
>  :-)  There
> are volumes of documentation for you to read.  Perhaps you might like
> to start here:
> 
> http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-tech-overview-
> latest.pdf
> 

Thanks - I will definitely take a look at the Shibboleth.


Regards.

Vish.