Shibboleth Developers

["Scott Cantor" <>]

> For instance, an IdP could initiate an agent to gather assessment info for
> students on it's behalf. In this case, there's no UI. Rather, the agent
> would have an X509 that it presents.

I don't quite follow the use case, I guess. What kind of gathering
operation? Is the IdP authenticating as itself or impersonating users? With
what interface? Doesn't sound like a browser use case, therefore it's not
really addressed by anything we've done so far anyway.

> I'm not sure what you mean though, where the "local" access can be
> combined with shibboleth type access in the UI of the application.
> Is this different from federate authentication within the UI?

The application UI itself treats all users the same. If you need a "local"
user database (not always even a good idea), then that just becomes one of
the choices. I don't think I have to enter an ID (and screw it up) to
indicate how I need to login. It might just be the "use this if you don't
recognize anything else" choice.

It just seems like duplicate entry to me and doesn't strike me as intutive
for users unless you try and assume that their email address will match,
which will get you some hotmail.com and gmail.com entries, etc.

I'm not saying it's crazy or anything, just that I've been skeptical that it
helps greatly.

I think the big problem is the lack of any well-understood-by-users "label"
to apply to this thing you want them to enter. I was talking to the XNS guys
that we met in Austin last fall about this idea that people could enter this
personal i-name thing and it would resolve as an XRI into their IdP.
Interesting idea, except that nobody knows what the heck an i-name is and
few have them.

-- Scott