Shibboleth Developers

["Scott Cantor" <>]

> Going further than pre-selecting the IdP, i.e. just use a permanent
> cookie and skip the WAYF is dangerous, in my view.
> What shall a user do who has by chance chosen the wrong IdP at the first
> visit?
> What shall a user do who has two accounts at two IdPs because he has two
> roles/jobs and has to be able to switch between them occasionally?

And we have people on the other side saying "we can't use Shib if we can't
skip this stupid page...".

This is exactly why having a WAYF in the "cloud" won't work unless we go off
and create a whole protocol for influencing things from the SP. Too much
loss of control over what happens.

If we're going to do that, I think we'd need some kind of serious buy in
that we can really do this on a global basis, otherwise it just falls apart
for any large SP that has to deal with multiple countries.

At that point, what we'd need to do is change the model from "SP sends
request to WAYF, who forwards it" to something like the SAML 2.0 discovery
model where the SP sends messages to the WAYF and gets back an answer so it
can kick off the request afterward. I was working through those kinds of
ideas with Tom a while back, but I think I correctly decided it was better
to wait on that, and instead just build in a more flexible design into the
SP for potentially plugging in protocols like that later.

> They already maintain lists of IPs mapping to customers since years, so
> no real burden for them. Not that somebody really would start doing that
> now from scratch, I would guess.

Not that I'm advocating this, but some folks in that community have
apparently stumbled on the idea to maintain network ranges in a centralized
directory for use by many apps.

Anything to avoid real authentication.

-- Scott