Shibboleth Developers

[Velpi <>]

> > - A robust mechanism at the SP that exposes a signed attribute
> > assertion to applications
>
> This is pretty much a must have for 2.1, but it probably will get done for
> 2.0. To a point anyway, but the whole approach is really geared to 2.0
> assertions. There's nothing really useful about having a signed 1.1 SSO
> assertion or attribute query results as they are not forwardable. At least
> not in the context of what the SP's doing. Obviously raw SAML code using the
> same bits to do something new is free to do whatever it likes.

Maybe a little off-topic, but surely a direction to keep in mind:
Once the signed assertions are forwardable, some kind of PAM-SAML (or 
JAAS-SAML) module should able to support the long-awaited (at least by 
us) delegation in some fashion.
Or maybe artifact and dereferencing would be nicer for a PAM/JAAS module 
(probably more complex though).

Then again, delegation isn't a Shib 2.0 issue, if I'm understanding it 
correctly.

--Velpi