shibboleth-dev - Re: SAML/shib 2 & authN referral
Subject: Shibboleth Developers
List archive
- From: "Tom Scavo" <>
- To:
- Subject: Re: SAML/shib 2 & authN referral
- Date: Mon, 19 Jun 2006 12:30:59 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MGtkKMGbPrUi8GrLnITBzzw+sHbmPY/9Rpvqc7v5719tZL2UjUPerL4KSEV2RCHCLNqlnRsF6JF0wwjz9CSr8KWzQvJ1A+o4afjhnXMCpocRZl6G5vTQ82NGSdSdZfFSI/w2NP1YjsjW8ym4UQbrFDfR5/4z+1yslcMPbwZR9ZI=
On 6/19/06, Scott Cantor
<>
wrote:
The original AuthnRequest can constrain the number of additional hops or
IdPs, and the "handler" in Shib 2.0 would itself be issuing an AuthnRequest
of its own after processing the original, and then presumably it would be
picking up the assertion from IdPB and transforming/mapping it into a new
assertion for the SP.
Or IdPA could simply pass the assertion from IdPB on through to the
original SP. If we assume the SP trusts IdPA (not an unreasonable
assumption it seems), then no transformation is necessary.
An open question is how much SP functionality such a proxy would need. With
the Java SP, presumably pieces of it could be embedded, but configuration
obviously starts to get pretty complex once you combine roles like that.
It's not impossible to imagine just implementing it by sticking the full SP
in front of the authentication handler that supports proxying. But maybe
not.
Even if the proxy is simply passing assertions on through to the
original SP, it needs most of the functionality of a full SP. If the
proxy has local functionality as well (like myVocs), then a fully
featured SP is required. In fact, even more is required, namely, the
ability to impersonate SPs.
Tom
- SAML/shib 2 & authN referral, Tom Barton, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Barton, 06/19/2006
- Re: SAML/shib 2 & authN referral, Chad La Joie, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Barton, 06/19/2006
- Re: SAML/shib 2 & authN referral, RL 'Bob' Morgan, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Scavo, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Scavo, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Scavo, 06/20/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/20/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/20/2006
- Re: SAML/shib 2 & authN referral, Tom Scavo, 06/20/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/20/2006
- Re: SAML/shib 2 & authN referral, Will Norris, 06/20/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/20/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Scavo, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- Re: SAML/shib 2 & authN referral, Tom Scavo, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
- RE: SAML/shib 2 & authN referral, Scott Cantor, 06/19/2006
Archive powered by MHonArc 2.6.16.