Shibboleth Developers

["Scott Cantor" <>]

> What's the problem with authenticating, but not authorising the users?
> 
> Maybe I am missing a crucial point of the discussion.

Your points are all valid, but we also are sensitive to the user experience,
especially in the library community, where people in the US are often not
prompted at all today.

In that environment, creating a user experience of:

- user accesses site
- user goes to WAYF
- user selects IdP
- user logs in
- user is then rejected by SP

is potentially bad. Whereas an SP that knows what IdPs a user could possibly
use (especially if the list is small) can eliminate the "surprise factor" at
the end.

Also, when discovery is SP-specific, there is no automated SSO flow through
a central WAYF. The user having logged in that accesses a new SP that
doesn't support that IdP is not going to see his IdP among the choices, so
you don't have the silent round trip.

Each SP of course is going to drop a cookie (ideally named _saml_idp and
following the 2.0 CDC spec ;-) and eventually (or via population of cookies
using a plugin) the user can easily bypass a lot of the prompts.

WAYFs are merely one, not terrifically scalable, approach to all this.

If you disagree, that's cool too. But when it's so obvious nobody knows what
the right answer here is, it's hard to spend a lot of time hacking on WAYFs.

-- Scott