Shibboleth Developers

["Scott Cantor" <>]

The 1.3 branch has an adfs extension library checked in that implements the
signin and signout actions. Works fine with the ADFS beta code, and wasn't
too hard to manually configure into ADFS. The handler/ACS location (e.g.
/Shibboleth.sso/ADFS) is used for both operations.

Note that there's no SP->IdP callback, thus no certificate/PKI configuration
is supplied to the ADFS account realm, which simplifies things obviously.
Maybe we should move exclusively to POST/attribute-push. ;-)

If you tell the SP which IdP to use and it's ADFS-aware, it will also pick
an ADFS handler instead of a SAML ACS if one is configured, and tell the IdP
to return to that. This is assuming you don't give up all control to a WAYF,
of course. SAML is still favored if the IdP supports that.

There's a ton of code duplication because my APIs weren't correct yet, but I
can externally override most of the module and shibd functionality now using
a plugin, so it looks more elegant than it is (just load the adfs.so
Extension in shibboleth.xml, define a handler, and you're set).

I'll re-port it to HEAD at some point, but I'll probably be redesigning
stuff to make it plug in better first, no rush anyway.

Oh, and at RLBob's suggestion I did look into that Sun/MS interop stuff, but
unfortunately there's really nothing there that helps much at this point.
Definitely no URLs to borrow for metadata, so I just used the WS-Fed XML
namespace in all the Binding and protocol enums.

-- Scott