Shibboleth Developers

["Scott Cantor" <>]

> The domain suffix IPDP just seems to fit the bill for users and agents.

As a matter of reality, dealing with all the mis-entered values and so forth
results in essentially exactly the same user experience. IOW, I don't think
it buys you much, and I don't think that it's a good idea in general to
federate authentication within the UI of any one application. This is an
area of significant disagreement, I realize, but I think it's a step down
the wrong road.

Better to unify "local" access under the common federated structure so that
it looks the same as any other users.

You don't have to use a WAYF to do this, it can be made part of the UI of
the application.

> Needless to say, the password is only entered at the IdP side. Or, if
> trust is enough, in a federation, the password can be entered 
> at the SP and sent back to the IdP in AuthnRequest.

That's not allowed, or desired.

-- Scott