Shibboleth Developers

["Scott Cantor" <>]

> So just to make sure I understand what the options are, Shib 1.3
> supports a traditional apache-tomcat configuration (except that
> authentication and path validation are now split between the two) but
> signed attribute queries are not supported and there are no plans to
> add this feature.  Correct?

Apache isn't doing much except for the SSL packet pushing, so I'd say it's
not really handling any of the authentication, but you could say it's split,
I guess.

The IdP does not support authentication via signing, correct. It does
support signing itself, and the SP supports signing itself and can
authenticate the IdP/AA if it signs as well as signed assertions. But it
will always authenticate the server's key when it does TLS, so the signing
would only be useful over HTTP, and then you lose the encryption, etc.

Plans are not very far out at this point, since none of 2.0's design is
determined. If people think this is important, it should be on the list of
proposed features, then subject to who can/will do the work.

> Actually it will push people away from a standalone tomcat deployment,
> towards the traditional apache-tomcat setup.

Then I'd echo Walter's sentiment and say this isn't our deliverable. If
Tomcat's broken, you (speaking of the people who care about this) should go
get it fixed, not fix it here.

-- Scott