Shibboleth Developers

[Tom Scavo <>]

On 12/12/05, Scott Cantor 
<>
 wrote:
> > > Shibboleth identifiers are as SP-specific as you want them to be.
> >
> > Could you explain a bit more what you mean?  (The target SP is not
> > involved in the production or consumption of the identifier AFAIK.)
>
> If that's true, then the API is broken, since we can't do federated IDs
> without that parameter.

There is a ServiceProvider argument in the API, but unless I've missed
something, it's not used in any existing implementation of
NameIdentifierMapping.

> > Sorry, I failed to make things clear before...the CA *is* generating
> > the key for the client.
>
> Umm. That's not how the kX.509 thing works at Michigan, I don't think, so
> why would anybody accept that? The client should generate the key and send
> the public half up to the CA to get the cert issued...

Well, I'll have to look into this some more...I didn't think our
online CA worked that way.

> > Okay.  So specifying Conditions to hold the TTL is the way to
> > go in this case?
>
> Assuming you mean NotBefore and NotOnOrAfter, then yeah, that's probably
> what I would do.

Okay, cool :-)

Thanks,
Tom