Shibboleth Developers

["Scott Cantor" <>]

I prepared an OASIS draft from Rod's initial document and uploaded it as
shown:
http://www.oasis-open.org/archives/security-services/200701/msg00037.html

There was a bit of discussion today about it and they want to take it
forward in OASIS. There was particular concern about products not working
with Shib sites if we do this, and I did note that it was designed to help
multi-protocol sites, which of course all the products have to handle.

The draft I submitted includes a metadata extension that is designed to
limit the delivery of IdP data to authorized endpoints. This isn't quite the
same thing as the Shibboleth SessionInitiator, but it's likely that it will
be used by us in that way.

I have received some feedback already from one vendor that makes the
protocol a little more complex, but it's worthwhile feedback and I'm working
to keep the complexity to a minimum while still improving it.

I have also verified that the "Home Realm Discovery" thing that MS/IBM
published in WS-Federation 1.1 can be "spoofed" with this proposal such that
you could drive a response to such a product (ADFS 2.0?) from this protocol,
which is good, I guess. For due diligence, their proposal is not usable by
itself for Shibboleth, not least because you can't communicate the identity
of the SP and you can't include a passive flag.

If there's feedback from anybody else on this, please submit it here or to
the SSTC public comment site.

A second draft is going to be done by me that includes more expository text,
this was just a bare bones version to get the protocol in front of the TC.

-- Scott