shibboleth-dev - RE: WAYF cookie considered dubious
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: "'Olivier Salaün - CRU'" <>, <>
- Subject: RE: WAYF cookie considered dubious
- Date: Mon, 18 Apr 2005 11:42:00 -0400
- Organization: The Ohio State University
> I'm going on with this thread that Bob Morgan initiated two
> years ago with apparently no acceptable solution adopted :
> https://mail.internet2.edu/wws/arc/shibboleth-dev/2002-11/msg0
> 0017.html
Nobody has stepped up with any interest in working on the WAYF code either,
something that at least partly drives my "forget the WAYF" philosophy. If I
was running an SP at this point, I'd feel like I had to own the problem. And
since the number of IdPs actually partnered with a given SP is typically
small, the WAYF provides a misleading experience for users anyway. You get a
lot of false positives that you have to trap at the SP.
> It appears to be a major GUI issue on the WAYF side because
> the average user doesn't know anything about the underlying
> HTTP redirections and the effect cookies have on them.
I think the GUI issue is that we need browser extensions that can manage the
cookie(s) in a consistent way, by standardizing on a cookie name (_saml_idp)
and then providing an extension/utility to set/unset all of the discovery
cookies on a client.
That's why I say it's a client issue. The amount of hackery and coordination
necessary to produce a reasonable outcome on the server side is quite large.
And it's untenable anyway once you have the reality of multiple federations.
> 1. Provide a "back to the WAYF" link in all error pages on
> the IdP side. The WAYF would be contacted with parameters
> disabling the "remember my previous choice" behavior.
Unless we own the authentication process, this isn't yet in scope. Errors
today at the IdP that don't pertain to authentication are not likely to have
any remedy based on a WAYF. And authentication isn't part of the code yet.
> 2. Make the WAYF detect repeated attempts of the user. The
> WAYF could disable the "transparent redirection" if the user
> contacts the WAYF, about the same SP, within a defined period
> of time (let's say 5 minutes)
These are good suggestions, but we also need people to work on them.
-- Scott
- Re: WAYF cookie considered dubious, Olivier Salaün - CRU, 04/18/2005
- RE: WAYF cookie considered dubious, Scott Cantor, 04/18/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Olivier Salaün - CRU, 04/19/2005
- RE: WAYF talks (was WAYF cookie considered dubious), Scott Cantor, 04/19/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Sassa, 04/20/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Olivier Salaün - CRU, 04/20/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Sassa, 04/20/2005
- RE: WAYF talks (was WAYF cookie considered dubious), Scott Cantor, 04/20/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Thomas Lenggenhager, 04/21/2005
- RE: WAYF talks (was WAYF cookie considered dubious), Scott Cantor, 04/21/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Thomas Lenggenhager, 04/21/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Tom Scavo, 04/21/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Sassa, 04/20/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Olivier Salaün - CRU, 04/20/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Sassa, 04/20/2005
- RE: WAYF talks (was WAYF cookie considered dubious), Scott Cantor, 04/19/2005
- Re: WAYF talks (was WAYF cookie considered dubious), Olivier Salaün - CRU, 04/19/2005
- RE: WAYF cookie considered dubious, Scott Cantor, 04/18/2005
Archive powered by MHonArc 2.6.16.