Shibboleth Developers

["Diego R. Lopez" <>]

> Maybe I'm confused, but this seems off. There's already a SAML binding
> that works for basic synchronous query/response, and since defining 
> new bindings is a harm to interop, it hasn't been done since the 
> original one was defined. Not to say it'll never happen, but it will
> have to be something you can't do with SOAP/HTTP.

Well, you can't make a Jabber server use its native protocol to make
a query and read a response. I think that using a XMPP binding for
SAML could make sense if it is confined to implement a gateway allowing
a Jabber server make authZ decisions by means of the data received
inside a XMPP message.
The SOAP binding is the only "outer binding", and the Jabber server
maintains its only XMPP speaking.


> Additionally, the benefit we want here is trust delegation. Rather 
> than having the jabber servers trust each other directly, the goal is 
> to let the chatroom trust only the SAML authorities (via a federation,
> bilateral trust, or whatever) and then it can use that trust fabric to
> allow the other server to talk to it about a user. Otherwise, you have
> to implement n x n trust relationships among all the application 
> servers, and federations don't really buy you much.

Right. That's a very important point we all have to be in mind when
walking beyond the web scenarios.

-- 
"Esta vez no fallaremos, Doctor Infierno"
 
Diego R. Lopez

 
RedIRIS
The Spanish NREN
Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------