Shibboleth Developers

[Scott Cantor <>]

> I finally read the Identity Provider Discovery Profile and have a couple 
> of naive implementation questions. Does the profile imply that one 
> browser instance can contain at most one cookie at one time?

Yes, anybody able to read the cookie is reading/writing the same cookie.
There may be muliple IdPs stored in the cookie, although this wouldn't be
common in our use cases for now.

> Can an identity provider be logically a party to more than one identity 
> federation?

In the sense that we usually mean "federation", yes, although whether it
manifests itself with the same providerId in each one is somewhat
unspecified and not really necessary. It's easy to setup a Shib 1.2 origin
that can publish itself as many different providers to different services.

> If so, does that imply that the _saml_idp cookie cannot be 
> the unmediated immediate product of a federation-based identity 
> discovery infrastructure, because of the possibility that an identity 
> provider may belong to multiple federations?

Can you give an example? I'm not sure I follow. This profile isn't very
deep, it's just a standard implementation of the WAYF's cookie that's
accessed via a shared domain.

-- Scott