shibboleth-dev - Re: WAYF-first authentication
Subject: Shibboleth Developers
List archive
- From: Ian Young <>
- To: Howard Gilbert <>
- Cc:
- Subject: Re: WAYF-first authentication
- Date: Fri, 29 Oct 2004 15:40:13 +0100
Howard Gilbert wrote:
In other words, your Form is part of the Service Provider in Step 1.
I actually did consider this point of view; it was one of the things that made me think this might work in the first place. The reason that I didn't just go with it was that I think this viewpoint obscures an important issue.
All these things are part of any implementation, but they aren't part
of any standard because the internal attribute housekeeping isn't
part of the protocol.
This is the issue: the sequence diagram implies that you have to visit the "service provider" first. In a typical Shibboleth installation, that means that a bit of Shibboleth code will get woken up and be aware that someone needs authentication, even if it immediately forgets that fact.
Regarding the form as part of the service provider (even if it is on a completely different site so that the target code is completely unaware of it) means that the service provider will be visited first (by definition) but the bit of code in Shibboleth isn't being woken up as it would be in a typical installation.
Is that a problem? Apparently not in practice, but the architecture document doesn't help me know this. Maybe one of the things you're saying is that the architecture document can't be expected to address this, but the comments about the identity provider initiating the process in 3.1, 3.1.2 and 3.1.4 seem to me to be trying to reach the same kind of area.
You sort of see this when your Form includes a "providerID" field.
The "shire" you might just know as a well known service URL, and the
"target" is the URL of the Resource data that you are managing.
However, you don't just trip over "providerId". It has to match some
magic name configured inside the Shibboleth configuration data.
Given that the shire address and provider id are both part of the federation metadata, I'd have to regard them both as equally well-known. I'm not sure, therefore, that I'd draw the distinction you're making here. It's not as if the provider id was only visible within shibboleth.xml.
-- Ian
- WAYF-first authentication, Ian Young, 10/29/2004
- RE: WAYF-first authentication, Howard Gilbert, 10/29/2004
- Re: WAYF-first authentication, Ian Young, 10/29/2004
- RE: WAYF-first authentication, Howard Gilbert, 10/29/2004
- Re: WAYF-first authentication, Ian Young, 10/29/2004
- RE: WAYF-first authentication, Scott Cantor, 10/29/2004
- Re: WAYF-first authentication, RL 'Bob' Morgan, 10/29/2004
- RE: WAYF-first authentication, Howard Gilbert, 10/29/2004
Archive powered by MHonArc 2.6.16.