Shibboleth Developers

["Scott Cantor" <>]

I'm starting to think through what kind of WAYF type improvements the SP
needs, so we could talk through some of that Monday. It's probably a long
term project, but so far, I've already:

- added Include and Exclude elements to the XML FederationProvider to allow
specific IdPs to be trusted or blocked, overriding the federation feed

- added a separate error template for profile failures caused by metadata
lookup, allowing that error to be broken out

- added non-strict metadata lookup to permit contact info to be found even
if the metadata entry is blocked or expired

I'm hoping to add:

- a common domain cookie implementation (could just be a local cookie to
store the IdPs used, depends on where the URL points) and an optional mode
to silently use that value if possible

- a wayfProfile parameter to control what authn request profile to use with
a particular WAYF (for e-authn, WS-Fed, etc.)

- a local session initiator endpoint (the old lazy session thing) that can
be handed a providerId, and then use metadata to figure out how to invoke it
(so SPs building WAYFs will be able to get future protocol support for free)

- some kind of built-in WAYF that walks the metadata plugins to build a list
for the user to choose from, so people at least have something local to rely
on out of the box until we have options available

-- Scott