shibboleth-dev - SAML/shib 2 & authN referral

Subject: Shibboleth Developers

List archive

SAML/shib 2 & authN referral

From: Tom Barton <>
To:
Subject: SAML/shib 2 & authN referral
Date: Mon, 19 Jun 2006 09:06:44 -0500

Versions of the shib IdP prior to 2.0 must arrange for its SSO endpoint to be protected by an external authentication service through the container in which it runs. One style of application this enables is what I'll call "authN referral", in which one IdP's SSO endpoint is exposed as an SP, allowing the authentication act to be referred back to some other IdP. The myVocs project relies on this, and other variations of a "Proxy IdP" concept are also floating around.

If I understand things correctly, with shib 2's implementation of SAML 2 authN context, the container will no longer be directly involved in authentication. But one can imagine that the authN context declarations provided to an IdP by an SP might in turn be referred by that IdP, acting as another SP, to some other IdP. This could effectively enable the same style of application.

Is something like this permissible, feasible, or planned? This seems different from delegation - is it?

Tom

SAML/shib 2 & authN referral, Tom Barton, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
  - Re: SAML/shib 2 & authN referral, Tom Barton, 06/19/2006
    - Re: SAML/shib 2 & authN referral, Chad La Joie, 06/19/2006
- Re: SAML/shib 2 & authN referral, RL 'Bob' Morgan, 06/19/2006
  - RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
    - Re: SAML/shib 2 & authN referral, Tom Scavo, 06/19/2006
      - RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
        
        Re: SAML/shib 2 & authN referral, Tom Scavo, 06/19/2006
        
        RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
        
        Re: SAML/shib 2 & authN referral, Tom Scavo, 06/20/2006

List archive

SAML/shib 2 & authN referral