Shibboleth Developers

["Alistair Young" <>]

I realise there's disagreement Scott but I also value your opinions. The
use case I describe is, in the first instance, for the Bodington VLE and
also for agent access to eLearning systems.
For instance, an IdP could initiate an agent to gather assessment info for
students on it's behalf. In this case, there's no UI. Rather, the agent
would have an X509 that it presents.
I'm not sure what you mean though, where the "local" access can be
combined with shibboleth type access in the UI of the application.
Is this different from federate authentication within the UI?
Alistair


-- 
Alistair Young
Senior Software Engineer
UHI@Sabhal
 Mòr Ostaig
Isle of Skye
Scotland

>> The domain suffix IPDP just seems to fit the bill for users and agents.
>
> As a matter of reality, dealing with all the mis-entered values and so
> forth
> results in essentially exactly the same user experience. IOW, I don't
> think
> it buys you much, and I don't think that it's a good idea in general to
> federate authentication within the UI of any one application. This is an
> area of significant disagreement, I realize, but I think it's a step down
> the wrong road.
>
> Better to unify "local" access under the common federated structure so
> that
> it looks the same as any other users.
>
> You don't have to use a WAYF to do this, it can be made part of the UI of
> the application.
>
>> Needless to say, the password is only entered at the IdP side. Or, if
>> trust is enough, in a federation, the password can be entered
>> at the SP and sent back to the IdP in AuthnRequest.
>
> That's not allowed, or desired.
>
> -- Scott
>
>