Shibboleth Developers

["Scott Cantor" <>]

Something I thought I'd toss out that came up at the Liberty meeting I
attended this week was the idea that even without SAML 2.0 ECP, one could
imagine defining a new SAML 2.0 binding from the SP that could involve
exploiting a MIME type (or yes an <object> tag ala InfoCard) to trigger a
browser plugin.

The idea came up in the context of phishing, in a particular Liberty use
case, and it seemed to me that any AuthnRequest is certainly an opportunity
for that and could benefit from a user-controlled layer. And of course, gee,
that also sort of helps with the discovery problem directly...

Anyway, the idea would be to really avoid the need for a ECP in a lot of
simple cases where all you want is just the ability to let the client direct
the request, and make sure that the user knows that the IdP they get to is
the one they configured.

The new binding would just enable the plugin to extract the request
information and then relay it to the IdP using one of the normal SAML
bindings. If the plugin wanted, of course, it could get more exotic and
parse the request to help the user, but that isn't strictly necessary.

Thoughts?

-- Scott