Shibboleth Developers

[Jim Fox <>]

> I'd like a little more detail on the suggestion below.  Are you describing a 
> standalone test SP and test IdP which would readily interact with anyone who 
> knocked on their door, or that bilateral deployments be the default?  I'm 
> very much in favor of the first approach if we can implement it -- i.e. we 
> couldn't use attribute callback without metadata, and probably other things I 
> haven't thought through -- and badly scarred by the second, which has the 
> challenges of two unknown entities.

It's actually the latter I recommend.  I have little use for trials or test 
cases
that lead users away from production rather than toward it.  If we start 
people
out with the bilateral deployment they not only end up with a legitiment, 
production
system, but they can easily upgrade to a "known CA" federation.  Starting 
them out
with a "trust anybody" model or with a pretend federation (InQueue) only hides
misconfigurations that will become encumberances later.

Providing a test IdP and SP is certainly invaluable for new adopters, 
especially
those not implementing both IdP and SP. But allowing those test sites to use 
bilateral trust arrangements does not seem so difficult.  For your test sites
it is as easy to import a cert as it is to import a urn or a CN.

Jim