Shibboleth Developers

[Ian Young <>]

Scott Cantor wrote:

> Anyway, the idea would be to really avoid the need for a ECP in a lot of
> simple cases where all you want is just the ability to let the client direct
> the request, and make sure that the user knows that the IdP they get to is
> the one they configured.
>
> The new binding would just enable the plugin to extract the request
> information and then relay it to the IdP using one of the normal SAML
> bindings. If the plugin wanted, of course, it could get more exotic and
> parse the request to help the user, but that isn't strictly necessary.
>
> Thoughts?

Let me read that back to you, to get the idea clear in my head.

The idea is to have something very simple fired up in the browser to do 
discovery.  You could invent a simpler version of either the ECP idea 
(say "I'm special" in an HTTP header and let the SP hand back some XML 
with a special MIME type) or the InfoCard idea (HTTP response contains 
an <object> element) but in each case you'd be passing back an 
AuthnRequest or something of that order rather than something SOAPy 
(ECP) or doing complicated WS-* things (InfoCard).

I'm guessing that you're thinking of the SAML 2.0 AuthnRequest rather 
than some encoding of the Shibboleth 1.0 AuthRequest.  Seems like some 
variant of the old profile would work, though, particularly with the 
<object> route.  Might be easier to get an experimental platform this way.

"All" the plugin has to do is (optionally) peek into the message to get 
clues, interact with the user to select an IdP (or maybe the simplest 
case is that the user has pre-selected one) and then relay the message 
unchanged to an appropriate destination.

It sounds like an attractive simplification of the client-side discovery 
idea.

If its the MIME-type variant, my main issue would be that presumably one 
would find oneself in the business of building different handlers for 
different browsers.  Rod and I have kicked some ideas around in this 
area before, but we always got stuck when we realised we'd have to 
actually read all the docs for several browsers to find out enough to 
make a real evaluation.

The <object> variant is similar, I guess, except that perhaps you'd have 
some possibility of working up something that could use a Java applet 
and therefore get some level of cross-browser support more easily. 
Again, I'm limited by not knowing the exact shape of the hole the helper 
code would have to plug into.  But I'd have to say I'm intrigued by the 
idea.

        -- Ian