Shibboleth Developers

[Jim Fox <>]

> Either Shibboleth's IdPs and RPs support the generation and reception of 
> InfoCards and we have cardspace and SAML in parallel.

You could allow a shib IdP to issue infocards.  It might even use
shib's attribute resolver machinery.  Since the infocard model is
inclined to give users control over attribute release shib's arp
release policies might not be of as much use.

On the SP side you could use shib's metadata and attribute acceptance
policies to filter claims gotten from an infocard login.  Any IdP
discovery would be out of order, as the web application's page
would have to itself contain the link to trigger card login.

> Or we support the reception of infocards when we login at the IdP and the 
> rest of the process is SAML.

You could you an infocard in lieu of whatever means you now use to
authenticate users at the IdP - probably a web form.  Likely only
your own cards would have any use here, but it would be another
way to get the user's id and password.  And if you could train all
of them to never type a password into any web page ever again this
might help solve the phishing problem.  They would always use their
cards and not be decieved by bogus sites.

The user experience here might be a bit disconcerting though.
Any hit on a shibbolized application results in the card system
telling the user that 'weblogin' wants a card, not the SP itself
-- their usual experience with infocard.  They are also told that
the only claim being released is the userid, which is all you
need to log them in - when they may have already been told their
employee id, say, will be given to this SP.  I suppose this
corruption of the infocard system might be considered perfect irony,
in that it mimics Microsoft's patented way of "working with" other
products, but I think it would be confusing to users.

The problems result from Shibboleth and Cardspace having opposite
approaches to identitification.  Shib tries to be as quiet,
backroom, discreet, and invisible as possible, whereas cardspace
is in-your-face, multi-step, do nothing else, login every time.
The former is clearly best for me at work, where I might daily
connect to twenty or more sites that want to know who I am.
I certainly don't want to go through an infocard login each time.
However, if I'm buying something with a credit card maybe I'd prefer
the loud login to the silent one.

Jim