Shibboleth Developers

["Scott Cantor" <>]

> Here are detailed examples of the shib browser/post and
> browser/artifact profiles (as I understand them anyway).  Any comments
> or corrections would be appreciated!

Looked correct to me, although I prefer to structure the discussion as three
profiles, a Shibboleth authn request profile, and a pair of SAML 1.1
response profiles that have additional constraints on message content. Does
a better job of documenting what the actual delta between Shibboleth and
SAML is.

> Shibboleth Browser/POST Profile
> 
> Issues:
> - How does the SP know the client's preferred IdP at step 2? 
> (WAYF, e.g.)

That's it. There is no elegant solution to this problem with current
technology. You have to ask, assume, cache, whatever.

> - Does the IdP send a providerId parameter at step 4?

In the assertion, yes.

> Shibboleth Browser/Artifact Profile
> 
> Issues:
> - How does the SP know the client's preferred IdP at step 2? 
> (WAYF, e.g.)

Same.

> - Does the IdP send a providerId parameter at step 4?

Same, but also you have the artifact SourceID which has to be mappable to an
IdP anyway.

> - Does the IdP send the URI of its artifact resolution service at step
> 4?  If so, what is the name of the corresponding parameter?

No, it's out of scope as in SAML.

> - What is the format of the artifact at step 5?

Intended to be standard fixed length SAML artifact, from the original spec.
With metadata already in place, no obvious use for the other format.

-- Scott