Shibboleth Developers

["Scott Cantor" <>]

> - Will the Shib SSO service accept an X.509 cert in lieu of a Shib
> authn request and return an authn statement with opaque Shib handle?

No, there has to be an AuthnRequest or much madness ensues. A cert is not
one. However, it is certainly allowed to use client certs to authenticate
the browser and then write a NameMapper plugin to extract the principal from
the cert and use that to create the identity behind the transient handle. I
think a couple sites do this now.

> - Will the Shib ACS accept a request with X.509 cert and invoke the AR
> with a <saml:Subject> the AA will understand?

Definitely not. It's been discussed occasionally. That wouldn't an Assertion
Consumer Service at all, needless to say. We'd have to develop a profile for
this, and then provide the module with the ability to generate a session
using it. There wouldn't need to be an explicit ASC location, probably,
though I suppose it's one approach if you wanted to use SSL on only that one
resource. Seems kinda bizarre to do that after all the pain of getting a
user to use a client cert.

-- Scott