Shibboleth Developers

[Scott Cantor <>]

On 11/18/03 11:38 AM, 
""
 
<>
wrote:

> I think there are a few concerns here, including the one you mention:
> 
> 1) developing a non-browser based profile.
> 
> 2) apps like the LionShare client/server (ie apps using an over the
> wire protocol other than HTTP/SOAP) are going to have to figure out
> how to transport  SAML assertions from one end to the other...
> presumably by binding these assertions in  some fashion to their
> existing protocol.... this is their problem,  not ours (-:

It's more subtle than that, though. Just binding assertions to messages is
the kind of thing WS-Security does. But if you don't define what's in them,
when you can get them, and how you prove the right to use them, you don't
get any security for your application.

As far as the code is concerned, there's probably a bit of refactoring we
can do to better expose some common routines, such as the signature
verification algorithm. But most of it is available through decent class
designs, and some of it is behind actual abstract interfaces that port
directly to Java.

-- Scott