Shibboleth Developers

["Scott Cantor" <>]

> Following up on the previous discussion, there is a tension in the cookie
> thing. You want the cookie scoped widely enough to cover the SP and all
> its RMs, but things get confusing if it is scoped widely enough 
> to cover two SPs at the same network. If that is possible, then the Entity

> name has to become part of the Cookie variable name, or the two SPs are
> going to be stepping on each other overwriting each other's cookies.

Yes. It already came up by accident between a couple of servers at NSDL, and
I already know I have to fix this more effectively by hashing in something
like the providerId to generate the cookie names. I used to have my
customers set their own names (the shib code did also), but I wanted to
remove one parameter from the config process and just didn't do it well
enough.

> The SP to RM is just a handoff of Serializable objects across a memory
> boundary.

Sure. When the boundary is no longer memory and especially when the browser
gets involved, that's when the handoff becomes an SSO protocol (by my
definition anyway).

> Which, I guess is the long winded way of saying that I don't have an
> airtight solution to propose and am pissed that I am expected to come up
> with one. It is easier to wave your hands and come up with four than it is
> to sit down and come up with one. 

Not sure if this is addressed to me or not, but I'm certainly not expecting
you to come up with one (unless you want to for your own purposes). That's
basically my entire point, that it's not that easy to do, especially without
a lot of assumptions or dependencies.

-- Scott