Shibboleth Developers

[Josh Howlett <>]

Hi folks,

I've recently added experimental Kerberos (Negotiate) redirection 
support to SWITCH's excellent WAYF implementation.

http://www.switch.ch/aai/wayf/

The WAYF detects whether the browser support Kerberos authentication; if 
so, it attempts to match the principal's Kerberos realm against known 
realms listed in the Federation metadata. If it finds a match, it 
automatically redirects the browser to the IdP's SSO server. If the 
browser does not support Negotiate, or does not find a match, it falls 
back to the web GUI.

This is an experiment in two things:

1. Try to improve the user experience

If the IdP's SSO server also supports Negotiate, then the user 
experience is seamless: the browser is automatically redirected from SP 
to WAYF to IdP and back to SP without *any* user interaction.

2. Try to increase scalability of federations

The chances of a user incorrectly selecting the wrong IdP increases as 
the federation grows in size. Kerberos redirection takes the 
IdP-selection decision out of users' hands.

The patch requires a Negotiate enabled web server; it has been tested 
with Apache 2 and mod_auth_kerb running on RHEL4, a Windows 2000 KDC, 
and IE5+ (Windows) and Firefox (Windows, Linux). The browser must be 
configured to permit Negotiate authentication against the WAYF. A 
Kerberos cross-realm trust must exist between each IdP and the WAYF 
(however, note that no Kerberos trusts are required between IdPs!). A 
mix of Kerberised and non-Kerberised IdPs is fine.

Please note that this has not yet been tested on any significant scale, 
caveat emptor.

If you have any queries or suggestions, please drop me a line.

Thanks to Luke Haemmerle @ SWITCH incorporating the patch.

best regards, josh.