Shibboleth Developers

["Scott Cantor" <>]

> If you're referring to the MyProxy Client, no, we are not allowed to
> modify the Client.  Instead, you could imagine a kind of gateway
> between the MyProxy Client and the MyProxy Server, but the problem is
> not in the consumption of the assertion, it is the production of the
> assertion that has me concerned.

There is no protocol implemented today that does what you want, that wasn't
my intended implication. There is no way to do this without a new protocol
(however obvious and simple that protocol might be).

> So my problem is the following.  How does a non-browser client
> (MyProxy Client) with only a username/password get an authN assertion
> from a Shib 1.3 IdP.  It is okay to extend the IdP with custom
> protocol handlers (for existing protocols) and plugins, but we should
> avoid new protocols and schemas, if possible.

The bigger issue is that you indicated that you can't modify the client.
Seems to me that's a dealbreaker for adding SAML to the flow.

> Also, there's this nagging issue about local principal name.  I don't
> think MyProxy generally has access to that so it's not clear exactly
> what should be encrypted into the handle.

It's likely that it would if you actually expect users to be authenticating
directly to MyProxy.

-- Scott