Shibboleth Developers

[<>]

All-

 

I am looking for information about how Shibboleth 2.0 will integrate with an SSO service.  My understanding is that in Shibboleth 1.x, there is no need for Shibboleth to know about the type of SSO (authentication) service that the client used to authenticate.  The implication of this is that communication between the SSO service and Shibboleth is one-way from the SSO service to Shibboleth.  Shibboleth receives the name of the authenticated principal from the SSO service via the REMOTE_USER variable or via an HTTP header, but the SSO service does not have to receive any information from Shibboleth.

 

Based on the changes from SAML 1.1 to SAML 2.0, it’s pretty clear that this one-way communication paradigm between the SSO service and Shibboleth will not work for Shibboleth 2.0.  First, Shibboleth will need to notify the SSO service when a SAML single log-out action occurs, so that the client’s session with the SSO service can be terminated.  And second, depending on how the generation of authentication contexts is implemented, there may need to be some two-way communication between Shibboleth and the SSO service.  So it seems to me that Shibboleth 2.0 will need to be more tightly integrated with an SSO service than Shibboleth 1.x needs to be.

 

I’ve searched for info about this topic on the Shibboleth Wiki, but I haven’t found anything.  Can anybody tell me what has been decided about how Shibboleth 2.0 will interface with an SSO service?  Or alternatively, can you point me to some documentation about this topic?  Thanks for your help.

 

-Matt

 

PS: I am new to this list, and I posted this message here because it seemed to be a bit too technical and forward-looking for the shibboleth-users list.  I apologize if this is an inappropriate forum for this post.