Shibboleth Developers

["Diego R. Lopez" <>]

 said:
> I'd like to start collecting use cases for Shib in non-browser, 
> non-web applications. Please email them to the list before monday's 
> call. They should reference how the authentication assertion is 
> obtained, and how assertions are transported and used.

A typical case is the use of authN assertions in instant messaging
systems (we are just starting to discuss about this in the brand new
I2IM group), so users can seamlessly:

* Obtain authorization to exchange messages with other users in the
same "group" (whatever a group is), without the usual
introduction/authorization process per each indiviual user

* Gain access to restricted rooms

* Initiate server to server interactions in order to access users/groups
in other servers: sort of what was called "application level multicast"
some time ago.

* . . .

The authentication assertion can be initially generated by the IM client
once the user has been identified: Data on how to get a fresh handle can
be easily stored in the client configuration. Other possible alternative
is to use a browser "helper" through a Web-ISO system that launches the
IM client with the appropriate handle.

Since Jabber messages are based on XML, including SAML assertions
inside them should not be very painful, as well as building server
plugins able to process the assertions in the federated style,
possibly using some external authorization engine (SPOCP? PERMIS?
XACML?).

Enjoy,
-- 
"Esta vez no fallaremos, Doctor Infierno"
 
Diego R. Lopez

 
RedIRIS
The Spanish NREN
Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--