Shibboleth Developers

another discussion topic for today.....

here's another mockup for a new shib front page -- as you can see, 
simplicity is the guiding principle here. Reduce the front page to a 
small(er) Nav Bar, and some text that conveys the key points abut 
shib; the Nav bar would take viewers to pages with more info, and 
more detaile info

http://shibboleth.internet2.edu/index0721.html

today's question is -- what points do we want to make on the front 
page? Here's a list of possibilities I can think of... altho I'm not 
sure I'd vote for all of these.... this list is offered as a 
strawman, intended to trigger the usual spirited conversation.....

--- (simple definition) Shibboleth, federated authentication 
technology developed by the Internet2 community, enables more 
scalable, privacy-preserving access to online resources. Using 
Shibboleth-enabled access simplifies management of access permissions 
for both the campus and for service providers

--- (key attributes of shib) Shibboleth, a project of Internet2/MACE, 
is developing architectures, policy structures, practical 
technologies, and an open source implementation to support 
inter-institutional sharing of web resources subject to access 
controls. In addition, Shibboleth will develop a policy framework 
that will allow inter-operation within the higher education 
community. Key concepts within Shibboleth include:

*	Federated Administration. The Identity Provider (origin) 
campus (home to the browser user) provides attribute assertions about 
that user to the Service Provider (target) site. A trust fabric 
exists between campuses, allowing each site to identify the other 
speaker, and assign a trust level. Identity Provider sites are 
responsible for authenticating their users, but can use any reliable 
means to do this.
*	Access Control Based On Attributes. Access control decisions 
are made using those assertions. The collection of assertions might 
include Identity, but many situations will not require this (eg 
accessing a resource licensed for use by all active members of the 
campus community, accessing a resource available to students in a 
particular course).
*	Active Management of Privacy. The Identity Provider (origin) 
site, and the browser user, control what information is released to 
the Service Provider (target). A typical default is merely "member of 
community". Individuals can manage attribute release via a web-based 
user interface. Users are no longer at the mercy of the target's 
privacy policy.
*	Standards Based. Shibboleth will use OpenSAML for the message 
and assertion formats, and protocol bindings which is based on 
Security Assertion Markup Language (SAML) developed by the OASIS 
Security Services Technical Committee.
*	A Framework for Multiple, Scaleable Trust and Policy Sets 
(Federations). Shibboleth uses Federations to specify a set of 
parties who have agreed to a common set of policies. (A site can be 
in multiple Federations, though.) This moves the trust framework 
beyond bi-lateral agreements, while providing flexibility when 
different situations require different policy sets.
*	A Standard (yet extensible) AttributeValue Vocabulary. 
Shibboleth has defined a standard set of attributes; the first set is 
based on the eduPerson object class that includes widely-used person 
attributes in higher education.

-- It leverages campus identity and access management infrastructures 
to authenticate individuals and then sends information about them to 
the resource site, enabling the resource provider to make an informed 
authorization decision.

-- typical scenarios.....

-- what makes shibboleth unique (among federation products)?

-- what value does shib/saml/federation provide to IdPs, SPs?

-- what is a Federation? what does it provide?

-- shib as SSO

-- (more key attributes)
        open source, open standards
        scaleable, flexible federation
        Single Sign-On
        attribute exchange
        extensible, modular platform
        privacy management