Shibboleth Developers

Phone #:  (800) 541-1710
Pin #:  0142203

Agenda:

1) Current programming issues/questions

	- I've asked Derek to describe his plans for vhost support 
on the target

2) Begin discussion of a DRAFT non-web-browser profile, describing 
how a client (other  than a web browser) could obtain a SAML Authn 
and Attribute Assertions and present them to a target.

http://stc.cis.brown.edu/~stc/Projects/Shibboleth/Version-2/Profile-Non-Browser/draft-carmody-non-browser-profile-00.html

This is DRAFT -- some sections aren't even filled in at this point. 
Its modeled on the the SAML Bindings and  Profiles doc:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

do a FIND  on 07-Sept-2003 , and then click on "Bindings and Profiles".

I'm interested in comments and feedback on some of the major choices 
we face in developing this document:

1) do we need to specify in detail the protocol between the client 
and the  Credentials Collection process?

2) is it OK to leave use of SAML  assertions within other 
client-server protocols (eg XMPP) to the authors of those protocols? 
I assume yes......

3) given the nature of the web (easy to make multiple requests for 
different  resources at the same target but in different application 
domains, and the need for  shib to support this....), and the reality 
that existing protocols (eg XMPP, etc) probably do NOT allow re-authn 
in the middle of the  session (ie,  in shib terms, obtaining 
different Attribute Assertions when the appl domain changes)... what 
is a reasonable approach?

4) Other high level  issues.......