Shibboleth Developers

["Scott Cantor" <>]

> Ok fair enough  Kerberos tickets aren't suitable in a genuine federated
> scenario, however they are useful within an institute and in grey area
> semi federated scenarios.   

Certainly.

> A system like shibboleth that will authenticate a user and also tell you
> details about that user (are they staff student etc) is as useful
> internally as it is in a federated scenario. 

I've been arguing that since 2001, although it's taken until version 1.3
before the stability of the system has caught up with my claims.

> In this context the ability to pass Kerberos service tickets via
> shibboleth would be very useful.  I would much rather tell other admins
> in my institute to "use shibboleth for internal webapps" than to tell
> them "pubcookie for internal apps, shibboleth for federatable 
> webapps".

I would too. I do in fact, I don't give them a choice. They can do whatever
they want on their own, but I only support one piece of software. Eventually
I'll probably support ADFS, which will get me out of the IIS business,
hopefully.

> You are right, I have reread the doc and was jumping to the false
> conclusion that SAML was being used to pass tokens, rather than SAML
> being the token. That said I think there is a use case for baing able to
> pass tokens 

I agree, but I think that's a different profile and as I said, I'm the wrong
person to write it.

> Does this sound like a sensible use case where the ability to distribute
> kerb tickets via shib attribute might be valuable? 

It's pretty much the most common reason. The second most common is probably
access to AFS/DFS file store.

-- Scott