Shibboleth Developers

["Tom Scavo" <>]

On 3/10/06, Scott Cantor 
<>
 wrote:
>
> > > Identity Provider
> > > Enhanced installation, deployment, and manageablity features:
> >
> > FWIW, I agree with Jim on this point: Shib 2.0 should "just work" out
> > of the box, which necessitates a bilateral deployment.
>
> It can't do this unless we ask for all the information needed to fill in all
> of the options we need to set for the installation.

I'm not sure I entirely understand.  Would it help if there were a
tool that produced metadata from the underlying config?

> > >     * Support for SAML IdP cookies as defined by the SAML 2.0
> > >     specification
> >
> > Maybe I'm missing something but I don't see the utility of this
> > profile.  In any event, can/should this be pushed back to Shib 2.1?
>
> The SP already supports this, sort of. There isn't much else to do. This
> isn't the shared domain thing, so the IdP doesn't really get involved.

Ah, I see, then maybe you should rewrite that line in the Roadmap
since it seems to imply you're gonna support the SAML 2.0 IdP
Discovery Profile.

> > - A robust mechanism at the SP that exposes a signed attribute
> > assertion to applications
>
> This is pretty much a must have for 2.1, but it probably will get done for
> 2.0. To a point anyway, but the whole approach is really geared to 2.0
> assertions. There's nothing really useful about having a signed 1.1 SSO
> assertion or attribute query results as they are not forwardable.

Again, I think you're focusing on the SSO profiles.  I have a use case
today that could leverage signed attribute assertions.  They would
save us a ton of work.

> > - Support for LOA attributes
>
> Not sure what you mean precisely.

I won't go there just now. ;-)  It won't help us much with 1.3 anyway.

Thanks,
Tom