shibboleth-dev - WAYF-first authentication
Subject: Shibboleth Developers
List archive
- From: Ian Young <>
- To:
- Subject: WAYF-first authentication
- Date: Fri, 29 Oct 2004 12:09:25 +0100
I have a question about the Shibboleth authentication process that I am trying to resolve by interpreting the Protocols and Profiles document (I have Working Draft 02, 22 September 2004).
We have a circumstance in which it makes sense to have an image button on a web page that just goes directly to our WAYF, like this:
<form action="https://wayf.sdss.ac.uk/shibboleth-wayf/WAYF">
<input id="Shib" type="image" src="..." title="..."/>
<input type="hidden" name="shire" value="...">
<input type="hidden" name="providerId" value="...">
<input type="hidden" name="target" value="...">
</form>
This works fine, by the way, that isn't the question :-) The question is whether it is *supposed* to work, according to the Shibboleth architecture.
I went to the Protocols and Profiles document to back up my intuition that the Shibboleth service provider doesn't really need to know about anything until the user has been authenticated. The first obvious mismatch is with the sequence diagram in the architectural overview; I'd see what we're doing as replacing steps 1 and 2 with a direct interaction between the user agent and the WAYF.
Step 1 in this diagram is described as a required interaction. However, over in section 3.1 we have the statement that "An identity provider MAY initiate this process without an authentication request by directing
the principal's browser through unspecified means to its inter-site transfer service with sufficient information to create the proper HTTP response" which kind of implies that step 1 isn't required at all. Sections 3.1.2 and 3.1.4 say similar things.
In our case, of course, the identity provider is responding to an authentication request, it is just that said request has never been near the service provider. So I don't think the text makes allowance for what we're doing in a clear way.
Soliciting comments in three categories:
1. you can't do that
2. you can do that, but the architecture document doesn't make it clear yet
3. you can do that, and the architecture document DOES make it clear if you read it properly.
Any takers?
-- Ian
- WAYF-first authentication, Ian Young, 10/29/2004
- RE: WAYF-first authentication, Howard Gilbert, 10/29/2004
- Re: WAYF-first authentication, Ian Young, 10/29/2004
- RE: WAYF-first authentication, Howard Gilbert, 10/29/2004
- Re: WAYF-first authentication, Ian Young, 10/29/2004
- RE: WAYF-first authentication, Scott Cantor, 10/29/2004
- Re: WAYF-first authentication, RL 'Bob' Morgan, 10/29/2004
- RE: WAYF-first authentication, Howard Gilbert, 10/29/2004
Archive powered by MHonArc 2.6.16.