Shibboleth Developers

[Tom Scavo <>]

On 10/14/05, Brent Putman 
<>
 wrote:
>
> I think what Scott proposed, and what you are looking for, is very
> similar to what Chad presented at GridWorld/GGF last week.  In a
> nutshell it involves using SAML 2.0 AuthnRequest and
> RequestedAuthnContext.  See Chad's slides available here:
>
> http://www.ggf.org/GGF15/ggf_events_schedule_UserManagement.htm

Brent, thanks for the pointer.  I was at Chad's excellent presentation
last week.

> We will probably be implementing something very similar for another
> non-Grid fat client-server oriented project (Sentinel)  - yes, by
> non-spec-compliant backporting it to Shib 1.3 (that is, not compliant to
> SAML 1.1), and implementing an IdP handler which can process the
> AuthnRequest for various cred types (username/password, client cert,
> biometrics, etc) and issue an authentication assertion.

Cool.

> I actually think his proposal is very relevant to this entire thread.

Chad's proposal is based on WS-*, and as you probably know,
transport-level security is still the default in GT4.  Message-level
security, although it's included in GT4, will remain mostly a research
topic until the standards have solidified and the performance issues
have been addressed.

One of our requirements is that GridShib MUST work with pre-WS GT4
deployments (which is most of them), which means we don't have the
luxury of SAML 2.0 and WS-*, at least for this first iteration of the
technology.  So our use case is considerably more constrained than
yours.

Tom