Shibboleth Developers

[<>]

Scott,

For now can you help setup the following request. Basically we are looking 
for AssertionConsumerService to point to custom URL of pattern *.do instead 
of SAML/POST.

> <EntityDescriptor entityID="http://shibboleth.gale.com ">
> 
>    <SPSSODescriptor 
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
>       <KeyDescriptor>
>          <ds:KeyInfo>
>             <ds:KeyName>johnson.ggtest.com</ds:KeyName>
>          </ds:KeyInfo>
>       </KeyDescriptor>
>       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
>       <AssertionConsumerService index="0" 
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
> Location="http://find.gale.com/auth/authentication.do>."/>
>       <AssertionConsumerService index="1" 
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
> Location="http://johnson.ggtest.com:9090/auth/capmAuthentication.do"/>
>    </SPSSODescriptor>
> 
>    <Organization>
>       <OrganizationName xml:lang="en">Gale</OrganizationName>
>       <OrganizationDisplayName xml:lang="en">Gale</OrganizationDisplayName>
>       <OrganizationURL 
> xml:lang="en">http://www.ggtest.com/</OrganizationURL>
>    </Organization>
>    <ContactPerson contactType="technical">
>       <SurName>Johnson</SurName>
>       
> <EmailAddress></EmailAddress>
>    </ContactPerson>
>    <ContactPerson contactType="administrative">
>       <SurName>admin</SurName>
>       
> <EmailAddress></EmailAddress>
>    </ContactPerson>
> 
> </EntityDescriptor>


Regards
Johnson

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Wednesday, May 17, 2006 7:37 PM
To: Steinberg, Dan (Gale); 

Cc: Rengarajan (Kumar), Selva (Gale); Kaniampurath, Johnson
Subject: RE: Browser/POST issue


> We are using RightAccess from eMeta as our authentication engine.  The
> RightAccess authentication API accepts a list of CredentialTokens, one
> type of which is a CredentialShibbolethToken, which contains attributes
> for idp, federation, authenticationResponseXml, etc. RightAccess, upon
> receiving a CredentialShibbolethToken, authenticates using the
> Shibboleth Java API.  

There is no such API. If they took code from our cvs, that's fine (provided
they honored the license), but it's not Shibboleth. I'm just trying to be
clear about who's responsible for what pieces.

> Our authentication servlet gathers credentials and passes them to
> RightAccess.  An ACS does essentially the same thing with Shibboleth
> Credentials.  Therefore, it is logical that the auth servlet 
> and ACS be one and the same.

Indeed (to a point).

> Since the ACS is meant to be protected by mod_shib,

No, you misunderstand...the ACS is *part of* mod_shib, not protected by it.
If you perform that function, remove mod_shib. You're not using it.

> and since INQUEUE
> seems to dictate a fixed URL format for the ACS, we need to separate
> these two servlets. 

There is no such requirement in any federation, least of all InQueue. I
misunderstood because, again, what you're asking here is NOT about
Shibboleth. It's about using somebody else's SAML implementation.

> b) The ACS should just blindly redirect to the Authentication Servlet.
> 
> We are favoring (b) as it avoids code duplication.

Then the ACS is your business to implement. You shouldn't be using mod_shib
at all, and indeed you cannot if you're trying to do this. Just register
your SP with whatever ACS location you require, end of story.

> Johnson is under the impression that servlet filter is meant as an
> alternative to mod_auth.  Is this correct?

Eventually there will be a Java filter that is an alternative to *mod_shib*,
yes. There is not now.

Sorry for the confusion,
-- Scott