Shibboleth Developers

[Tom Scavo <>]

On 5/23/05, Scott Cantor 
<>
 wrote:
> > You have example.org, example.com, and example.net to play
> > with.  It would be nice if example.edu were in this group of
> > protected domains, but unfortunately it's not.
> 
> I actually pushed back against using example.edu so as to counter the "Shib
> is only for universities" myth.

Yes, I know, but the main reason is that example.edu is not one of the
reserved domains.

> > First prerequisite is that the default config run on a single machine.
> >  This encourages people to download and test on their laptop
> > or whatever they have available.  (You do want to encourage
> > people to try the software, right? :)  To meet this
> > requirement, any config will do (one entity, two entities-one
> > domain, two entities-two domains).
> 
> Well, they don't do this. We thought they might. And maybe they will once
> both halves are in Java...

Yes, all-Java will make a difference.  For one thing, Howard has
written detailed documentation and I have additional documentation
that shows how to make all this work under Tomcat.

> > Second prerequisite is that the default config generalize
> > with as little pain as possible.  By "generalize" I mean two
> > separate hosts, which is needed to solve bilateral trust in
> > full generality.  This requires two entities-two domains.
> > That opens the door to federated trust.
> 
> I don't see why two hostnames in one domain isn't sufficient for this.
> There's no practical difference that I can think of. You can obviously fill
> in any domain name you want and things are exactly the same.

Well, okay, I think you're right.  It's just as easy to generalize a
two entity-one domain config as it is a two entity-two domain config. 
Might as well leave it at that.

> My concern is that example.* are the only "clearly" reserved domains, and I
> believe (I guess this is the point of disagreement) that having both
> example.com and example.org (or net) will lead to confusion, but I don't
> feel strongly about it.

Yes, you're right.  There doesn't seem to be a clear advantage of
using two domains.

> Anyway, I'm leaving it alone for now so I don't screw anything up...

It's already screwed up. ;-)  The config does not work as it stands at
the moment.  For one thing, the IdP providerId in the IdP config file
does not match the providerId in the metadata.  Same goes for the SP
providerId in the Java SP config (which I assume Howard is working
on).

Also, the metadata file referenced in the IdP config file has been
removed, so that's a problem, too.  I plan to install HEAD later today
so I'll let you know if I find anything else.

Tom