Skip to Content.
Sympa Menu

shibboleth-dev - Re: Browser-intermediated SSO

Subject: Shibboleth Developers

List archive

Re: Browser-intermediated SSO


Chronological Thread 
  • From: Ian Young <>
  • To:
  • Subject: Re: Browser-intermediated SSO
  • Date: Wed, 07 Dec 2005 17:57:20 +0000

Scott Cantor wrote:

Anyway, the idea would be to really avoid the need for a ECP in a lot of
simple cases where all you want is just the ability to let the client direct
the request, and make sure that the user knows that the IdP they get to is
the one they configured.

The new binding would just enable the plugin to extract the request
information and then relay it to the IdP using one of the normal SAML
bindings. If the plugin wanted, of course, it could get more exotic and
parse the request to help the user, but that isn't strictly necessary.

Thoughts?

Let me read that back to you, to get the idea clear in my head.

The idea is to have something very simple fired up in the browser to do discovery. You could invent a simpler version of either the ECP idea (say "I'm special" in an HTTP header and let the SP hand back some XML with a special MIME type) or the InfoCard idea (HTTP response contains an <object> element) but in each case you'd be passing back an AuthnRequest or something of that order rather than something SOAPy (ECP) or doing complicated WS-* things (InfoCard).

I'm guessing that you're thinking of the SAML 2.0 AuthnRequest rather than some encoding of the Shibboleth 1.0 AuthRequest. Seems like some variant of the old profile would work, though, particularly with the <object> route. Might be easier to get an experimental platform this way.

"All" the plugin has to do is (optionally) peek into the message to get clues, interact with the user to select an IdP (or maybe the simplest case is that the user has pre-selected one) and then relay the message unchanged to an appropriate destination.

It sounds like an attractive simplification of the client-side discovery idea.

If its the MIME-type variant, my main issue would be that presumably one would find oneself in the business of building different handlers for different browsers. Rod and I have kicked some ideas around in this area before, but we always got stuck when we realised we'd have to actually read all the docs for several browsers to find out enough to make a real evaluation.

The <object> variant is similar, I guess, except that perhaps you'd have some possibility of working up something that could use a Java applet and therefore get some level of cross-browser support more easily. Again, I'm limited by not knowing the exact shape of the hole the helper code would have to plug into. But I'd have to say I'm intrigued by the idea.

-- Ian



Archive powered by MHonArc 2.6.16.

Top of Page