Shibboleth Developers

["Scott Cantor" <>]

> Firstly, I can't read Scott's document, because we're not a member of
> OASIS, so I can't log in to their site.

I sent the public link immediately after I accidentally sent the private
one. I don't have it handy, it should be quite near the top of this thread.
I think it's mostly irrelevant, for all the reasons you stated.

The only comment I'll make is that for SAML 2.0, you *really* don't want to
be building the request yourself. Linking to the IdP's SSO would be replaced
by a link back to your SP's SessionInitiator. You can do this now, in fact.

This is not the same thing as a lazy session, but it uses some of the same
functionality and I think that's why people confuse them.

> The bottom line, from my perspective is that it's not clear to me that
> 3rd-party discovery services will be of much use to us, especially when
> we're trying to support auth methods other than Shibboleth within the
> same DS.

I agree. That's why it gets a bit frustrating arguing over something that is
effectively useless for most applications, but people insist on using.

The goal for 2.0 was to get the WAYF out of the middle of the flow, so to
speak.
 
-- Scott