Shibboleth Developers

[Tom Scavo <>]

On Wed, 2 Mar 2005 11:15:04 -0500, Scott Cantor 
<>
 wrote:
> > - Will the Shib SSO service accept an X.509 cert in lieu of a Shib
> > authn request and return an authn statement with opaque Shib handle?
> 
> No, there has to be an AuthnRequest or much madness ensues. 

Well, we definitely want to avoid that. ;-)

> However, it is certainly allowed to use client certs to authenticate
> the browser and then write a NameMapper plugin to extract the principal from
> the cert and use that to create the identity behind the transient handle. I
> think a couple sites do this now.

That's a possibility.  If someone is already doing this, we'd love to
hear about it.

> > - Will the Shib ACS accept a request with X.509 cert and invoke the AR
> > with a <saml:Subject> the AA will understand?
> 
> Definitely not. It's been discussed occasionally. That wouldn't an Assertion
> Consumer Service at all, needless to say. We'd have to develop a profile for
> this, and then provide the module with the ability to generate a session
> using it.

We're not so much interested in the session (since a grid service
maintains its own) as we are in the resulting attributes.  We've
developed a profile along these lines but it requires us to generate
an authn assertion to tap into the ACS, which we'd like to avoid.

> There wouldn't need to be an explicit ASC location, probably,
> though I suppose it's one approach if you wanted to use SSL on only that one
> resource. Seems kinda bizarre to do that after all the pain of getting a
> user to use a client cert.

I don't totally understand the comment.  No, we don't need an ACS
since we don't necessarily have an authn assertion to consume, but how
else do we get attributes short of implementing an AR ourselves?

Thanks,
Tom