Shibboleth Developers

["Scott Cantor" <>]

> It will take me awhile to fathom this, but in the meantime I have a
> question.  What kicks off the process?  In other words, what tells the
> IdP that a decorated assertion is requested?  Is there something in
> the AuthnRequest that triggers this?

There's unlikely to be a need to restrict it, it just enables follow-on
requests subject to policies over what the service actually tries to do. I
think I made that point explicitly. It's likely either all on or just set
per SP. In Liberty they usually assume every SSO token contains a bootstrap
EPR for the discovery service.

BTW, if you're trying to learn WS security from that alone, I wouldn't
advise it. I'm sure there are better introductory sections in the specs. The
point wasn't a tutorial as much as a demonstration that it's possible to do
things without any new standards, and secondarily to point out how complex
WS-Security actually is.

-- Scott