Shibboleth Developers

["Rod Widdowson" <>]

Stephen Carmody said:
> rephrasing Spencer's question -- what can we do so that users never/rarely 
> see the WAYF?

Well the catch22 situation is that until the user has first interacted with 
an IdP there is not a great deal you can do.   What the Sciencedirect.com 
WAYF appears to do is to sniff at your IP address and make an educated guess 
about which IdP you might be interested in and suggest that first. I 
wouldn't like to be the one to maintain that though.

I guess that the bottom line is that right now, the WAYF is the worst 
possible way of doing IdP Discovery except for all the others, and you *do* 
need a way to bootstrap yourself into the situation at which you never see
the WAYF again unless you have to.

So in SDSS we are keen to make the WAYF easier to use, invisible where 
possible, and lower the barrier to entry for people who want to develop 
their own.  We also have to address (sooner rather than later) how to 
service a world in which multiple SPs are in multiple (often disjoint) 
Federations.

Chad said:
> I think that the multi-federation support being worked on by the SDSS 
> folks needs to be incorporated (I'll leave it to them to describe this, if 
> they want).

So what we've got (towards meeting all the above) right now is:

- Use of the same metadata provider (and infrastructure), as the IdP.  This 
should shrink the war distribuion down from 7 Megs to being a handful of 
classes and a couple of jsps.

- Ability to load multiple medatata providers and sources (configured in 
wayf.xml in a way similar to the IdP).

- Automatic trimming of which IdP's are displayed (only IdPs which the SP 
knows about are listed)

- Use of the SAML_IDP cookie to store a list of recently visited IdPs.  If 
one of the recently visited IdPs can service the SP, then the user never 
sees the WAYF (this is the same mechanism the WAYF uses in 1.3 generalised 
to using the SAML_IDP cookie and multiple federations).

At this stage if one postulates a SAML_IDP cookie aware SP and possibly a 
mechanism to manage the SAML_IDP cookie (maybe a browser plugin?) then we 
should get to a situation when the user only sees the WAYF when they 
genuinely have to set about discovering a new Identity Service.

/rod