Shibboleth Developers

[Peter Murray <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/18/05 11:52 PM, Scott Cantor wrote:
> Probably more than you wanted to hear on the subject.

Actually, it is exactly what I needed.  Even as I was writing the e-mail
and stumbling over the roles of the metasearch engine (MSE, if you
will), IdP, destination SP, and the browser client, I had an inkling
that this was moving into very messy waters.

> It's important to identify whether the intermediary acts as client or as
> authority. Today, most use cases are internal, and the intermediary is
> simply an authority. That is, it's trusted to make assertions about the
> client, and the client doesn't control it or constrain it. The assertions
> aren't usually SAML, of course, but they could be. The information provided
> by the original IdP is simply re-asserted to the SP by the intermediary and
> it's trusted, just as the IdP is trusted by the intermediary. There's very
> little to specify here because the security is isolated hop by hop.

Setting aside for the moment that this does not follow the new world
order, is it possible given Shibboleth version 1.3 as we know it now?
In working with the NISO Metasearch Initiative, we're not only
describing how it arguably /should/ be done, but also documenting what
is possible.  (The latter is very, very messy -- IP address recognition,
individual username/passwords, etc. -- such that having a way for MSE be
trusted to assert attributes to a destination SP on behalf of a user
would be a vast improvement on what we have now.)

>>So, another way to ask the core I think is this:  "does the metasearch
>>engine, acting as an SP, have enough information to turn around an act
>>as if it were an IdP to the destination SPs?"
> 
> This, as I said, is the easy case, because the IdP is the authority. If the
> engine is trusted to do this, it makes up whatever it wants, presumably
> based on what it received.

Correct me if I get this wrong, but I think you intended to say "because
the MSE is the authority" as you go on to describe how the MSE can, in
reality, assert anything it wants to the destination SP.

> In the new world order, this isn't so nice, and what you really want is the
> intermediary to be a delegate of the client, constrained by the IdP. It must
> really act as a client, and obtain tokens from the IdP that reflect the
> situation, possibly even the delegation itself so the SP knows both
> identities are involved.

Stumbling naively into what you describe as a really hard problem, does
the metasearch scenario make a good foundation for the NISO MSE
committee to work on the scope and potential solutions in this
proxy/delegation area?  There is a group here that may be willing to
throw some time/effort into the process.


Peter
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCPDHi4+t4qSfPIHIRAo1bAJ9a1+HnJ65NdO6ZyXETRWKU4/BgCACbBUn1
AOkVTLYmBzIqbGW5sgB4QzI=
=bnSo
-----END PGP SIGNATURE-----