Shibboleth Developers

[Von Welch <>]

Scott,

 Yes, my teminology was incorrect. Thanks for the pointers.

 I've been thinking about this over the weekend and let me try popping
up a level for a moment and ask a more basic question.

 There are applications out there that have authentication schemes
other than Handles. Assuming that Shib wants to work with these
applications it seems like one of two things has to happen:

 1) The Shib AA has to understand the identities used by these
applications (either in addition to handles/EPPNs or instead of).

 2) The applications have to understand handles/EPPNs (I'm not sure
which) so that they can cast their questions in terms the shib AA
understands.

 In other words, where do you want to put the burden of federating the
identities?

 #1 seems to have the advantage that applications are kept simpler,
but requires support of extra namespaces by the administrator/deployer
of the shib AA.

 #2 allows anyone who understands the EPPN/handle namespace to talk to
the shib AA without any special support from it, but obviously is more
work on their part.

 I've been pushing on the #2 case recently.

Von