Shibboleth Developers

["RL 'Bob' Morgan" <>]

> > How much of all this AuthnRequest crap will actually get
> > used by anyone?  Have your SPs been clamoring for the
> > MobileOneFactorUnregistered authentication context class, or the ability
> > to specify the saml:Conditions in the returned authentication assertion?
>
> Yes, GridShib needs this today.

So, some months from now, as an IdP weighing whether to use the new 
built-in Shib SSO or map into my existing webiso, I would probably 
conclude that my existing webiso can't meet Grid requirements, since it 
wasn't designed to meet them, and I would be inclined to just use built-in 
Shib, if it did meet them out of the box.  So this doesn't make the case 
for mapping.

> Instead of mapping the AuthnRequest schema onto yet another API, why not 
> simply pass the SAML itself and leave it to the SSO provider to parse. 
> In the end, everyone will consume and produce SAML, right? ;-)

Sure, I should have mentioned this as an option, but I assumed it was 
unattractive by definition.  If I were faced with this requirement, I 
would look around for existing code that parsed the AuthnRequest, and 
voila, there's some right inside Shib!  So I would ask:  can't I use the 
output of that code rather than duplicating it, which is the question at 
hand.

  - RL "Bob"