Shibboleth Developers

["Scott Cantor" <>]

> I think there are 2 approaches regarding Cardspace support.

There are probably many such approaches, but none of them are openly defined
at this point save for just supporting the Microsoft specs, and their client
only supports their specs anyway.

> Or we support the reception of infocards when we login at the IdP and
> the rest of the process is SAML.

I don't think it's that simple. The only thing approximating existing SAML
protocol is spoofing an unsolicited response from the IdP by issuing it from
the client, and Cardspace can't do that.

The problem is that you can't just have Cardspace authenticate to the IdP
and then expect it to do whatever thing you'd like to do. It follows their
profile, nothing else. If they choose to make it do OpenID, that's up to
them, but only MS can do that. And they won't allow it to do SAML alone,
so...

Of course, you can build a gateway, but that has very little to do with
Shibboleth supporting Cardspace per se. You could do it with Ping's Apache
module, for example, and pop that in front of a second IdP.

-- Scott