Skip to Content.
Sympa Menu

shibboleth-dev - RE: Browser-intermediated SSO

Subject: Shibboleth Developers

List archive

RE: Browser-intermediated SSO


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: Browser-intermediated SSO
  • Date: Wed, 7 Dec 2005 13:26:55 -0500
  • Organization: The Ohio State University

> The idea is to have something very simple fired up in the browser to do
> discovery.

It's a bit broader than that. It might be used to support some kind of
anti-phishing functionality because the user gets to explicitly direct the
request to a "known" location, instead of relying on the SP or a WAYF to do
so.

> You could invent a simpler version of either the ECP idea
> (say "I'm special" in an HTTP header and let the SP hand back some XML
> with a special MIME type) or the InfoCard idea (HTTP response contains
> an <object> element) but in each case you'd be passing back an
> AuthnRequest or something of that order rather than something SOAPy
> (ECP) or doing complicated WS-* things (InfoCard).

Correct.

> I'm guessing that you're thinking of the SAML 2.0 AuthnRequest rather
> than some encoding of the Shibboleth 1.0 AuthRequest. Seems like some
> variant of the old profile would work, though, particularly with the
> <object> route. Might be easier to get an experimental platform this way.

Possibly so. It is mostly independent of the protocol, but adding multiple
protocols into the picture raises the spectre of more complexity for things
like tanslation. Basically anything the WAYF might be expected to do might
become fair game for this, so keeping it simple to start with is good.

> The <object> variant is similar, I guess, except that perhaps you'd have
> some possibility of working up something that could use a Java applet
> and therefore get some level of cross-browser support more easily.

I don't know enough about how it would be realized at this stage.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page