Shibboleth Developers

["Scott Cantor" <>]

> Okay, now I'm confused. :-)  Remember that conversation we had about
> "masquerading SPs" last month?  The idea is that the proxy will
> impersonate the SP, obtain assertion(s) targeted at the SP, and return
> them to the SP unscathed.

Right. That's not proxying because the IdP at the end can't tell the
difference. I suppose you can honor various aspects of proxying conditions,
but you don't have to use the proxying processing rules.

Proxying is normally used when the relying party can't trust the signature
of the eventual IdP, or when the IdP doesn't support SAML. You can proxy
things like Passport and reflect that somehow in a deployment.

-- Scott