Shibboleth Developers

[Bradley Beddoes <>]

Scott,
On initial reading it seems quite reasonable and rather easy to support, 
will be interested to see the mentioned additions below you speak about 
from the vendor and the second draft.

regards,
Bradley


Scott Cantor wrote:
> I prepared an OASIS draft from Rod's initial document and uploaded it as
> shown:
> http://www.oasis-open.org/archives/security-services/200701/msg00037.html
>
> There was a bit of discussion today about it and they want to take it
> forward in OASIS. There was particular concern about products not working
> with Shib sites if we do this, and I did note that it was designed to help
> multi-protocol sites, which of course all the products have to handle.
>
> The draft I submitted includes a metadata extension that is designed to
> limit the delivery of IdP data to authorized endpoints. This isn't quite the
> same thing as the Shibboleth SessionInitiator, but it's likely that it will
> be used by us in that way.
>
> I have received some feedback already from one vendor that makes the
> protocol a little more complex, but it's worthwhile feedback and I'm working
> to keep the complexity to a minimum while still improving it.
>
> I have also verified that the "Home Realm Discovery" thing that MS/IBM
> published in WS-Federation 1.1 can be "spoofed" with this proposal such that
> you could drive a response to such a product (ADFS 2.0?) from this protocol,
> which is good, I guess. For due diligence, their proposal is not usable by
> itself for Shibboleth, not least because you can't communicate the identity
> of the SP and you can't include a passive flag.
>
> If there's feedback from anybody else on this, please submit it here or to
> the SSTC public comment site.
>
> A second draft is going to be done by me that includes more expository text,
> this was just a bare bones version to get the protocol in front of the TC.
>
> -- Scott