Shibboleth Developers

[Scott Cantor <>]

> Since some of these are going to have to change anyway, I suggest we
> use the following pair of providerIds instead:
>
> https://idp.example.org/shibboleth
> https://sp.example.com/shibboleth
>
> In my (limited) experience, using two separate domains makes it easier
> to upgrade the out-of-the-box config.

I have a hard time seeing how introducing an easy to mistype difference 
that I barely spotted would be helpful...I think I'd find it very 
annoying, so I'd like to hear some other opinions.

> Related to this, the config files should not assume InQueue
> membership.  Instead a bilateral trust relationship between
> idp.example.org and sp.example.com should be hardwired in. 
> Configuring to InQueue out-of-the-box adds significant complexity to
> the install, I think.

One metadata file is complex? Until InQueue shuts down of course, at 
which point we'd substitute the self-registration federation.

I did suggest to Walter that the IdP stop treating InQueue as the 
default RelyingParty though. Maybe that's what you're referring to, the 
SP really doesn't have much InQueue in it.

-- Scott