Skip to Content.
Sympa Menu

shibboleth-dev - Re: passive authN

Subject: Shibboleth Developers

List archive

Re: passive authN


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To: Shibboleth Dev Team <>
  • Subject: Re: passive authN
  • Date: Thu, 3 Nov 2005 07:29:41 -0800 (PST)


How much of all this AuthnRequest crap will actually get
used by anyone? Have your SPs been clamoring for the
MobileOneFactorUnregistered authentication context class, or the ability
to specify the saml:Conditions in the returned authentication assertion?

Yes, GridShib needs this today.

So, some months from now, as an IdP weighing whether to use the new built-in Shib SSO or map into my existing webiso, I would probably conclude that my existing webiso can't meet Grid requirements, since it wasn't designed to meet them, and I would be inclined to just use built-in Shib, if it did meet them out of the box. So this doesn't make the case for mapping.

Instead of mapping the AuthnRequest schema onto yet another API, why not simply pass the SAML itself and leave it to the SSO provider to parse. In the end, everyone will consume and produce SAML, right? ;-)

Sure, I should have mentioned this as an option, but I assumed it was unattractive by definition. If I were faced with this requirement, I would look around for existing code that parsed the AuthnRequest, and voila, there's some right inside Shib! So I would ask: can't I use the output of that code rather than duplicating it, which is the question at hand.

- RL "Bob"




Archive powered by MHonArc 2.6.16.

Top of Page