Shibboleth Developers

["Alistair Young" <>]

> "duplicated" across all its installations
yes but that's what SOA is about. Removing common functionality and making
it a service. All SPs need to discover. They could all do it in different
ways with different UIs and no conitinuity for the user across resources
in a federation. Or it could be abstracted out and made a service. So you
specify your IdP in the same way across all resources.
Maybe that's federation utopia though.

> It can't even agree to put smarter software on servers.
ah but what do you mean by "server"? Do you mean SP? No, they won't.
They're all running down SOA street. Until the next signpost that is...

> I have little
> doubt that federations will deploy such gateways
yes, the Athens service in the UK does just that.

> They just stay in place
> forever
yes, that's their business model. If a small subset of their profits come
from SAML-enabled federation users then a gateway will be more cost
effective for them.
If a chief exec in the UK wants to tap into a Russian market, they don't
Russian-enable themselves, they hire a translator. A gateway to that
market.

> They violate privacy
now that's interesting. How do you see a piece of non-sentient software
violating privacy? Schrodinger's Cat? The data is inviolate until
processed? So whatever entity processes it should be the one it's intended
for?

> How many
> people have multiple IdPs that all give them access to overlapping
> services?
> Not very many
no, I'll grant you that. It was an extreme example. Semantic web demands
extreme flexions of the imagination though!

> we have enough trouble arguing that people have one
> IdP
:) I myself have two though!

> Ok, but meanwhile, by the time you get that built, Cardspace is out and
> people are no longer using browsers to do discovery...
by people you mean Windows users? Yes but what about the rest of us
Maccies, Linuxers, Solarisites, other assorted weirdos?

> just put a nice little box on the page to enter the IdP and go on to more
> interesting topics.
LOL! I wish I could. You haven't seem my users!

Alistair


-- 
mov eax,1
mov ebx,0
int 80h

>> is that not against the SOA movement these days? Having a big blob of an
>> SP, with duplicated functionality in each one, all needing updated to
>> keep
>> up with profile changes?
>
> So when you change your non-SAML profile, nothing changes? Any software is
> "duplicated" across all its installations.
>
> This is the old argument against client software. This is why I laugh at
> people that think this community will happily embrace new clients to
> replace
> browsers. It can't even agree to put smarter software on servers.
>
> Of course, if we wanted to support SAML 2.0 by translating everything at a
> gateway, we could do that. That isn't this project's goal. I have little
> doubt that federations will deploy such gateways. As migration tools they
> are attractive. But that's not what happens. They just stay in place
> forever. They violate privacy. They add points of failure. Etc.
>
>> Yes the SP will have most of the information but the DS will have some
>> too
>> and the decision will be based on rules that could change all the time.
>
> I think you're making the problem much more complex than it is. How many
> people have multiple IdPs that all give them access to overlapping
> services?
> Not very many. Heck, we have enough trouble arguing that people have one
> IdP
> at this point.
>
>> A semantic discovery service (SDS) would be an interesting creature.
>> Client from 10.192.3.2 wants to access /medicalimages/gore.jpg. hmmm
>> says
>> SDS, I know that that IP block has several IdPs and that one of them is
>> in
>> the Faculty of Cutting Things Up. Ontological references equate cutting
>> things up with medical images. "That's your best bet" it says to the SP.
>> SP says, is this your IdP? If yes, SP can communicate back to SDS saying
>> "well done" and SDS learns...
>
> Ok, but meanwhile, by the time you get that built, Cardspace is out and
> people are no longer using browsers to do discovery...
>
> I think what you're describing here is overkill, basically, and you could
> just put a nice little box on the page to enter the IdP and go on to more
> interesting topics.
>
> -- Scott
>
>
>