Shibboleth Developers

[André Cruz <>]

Hello all.

I have a few questions/suggestions regarding the development of  
shibboleth.

One of the main features that I need from Shib 2.0 is the single  
logout feature. Right now we logout from the current application the  
user's in and the IdP, but all the other applications the user has  
logged into remain oblivious to the logout (we suggest out users to  
close the browser but not all of them do it).

What I would like to know is how this will be implemented in Shib  
2.0. Will the IdP store which applications have requested the  
attributes and notify them on a logout? How will this information be  
shared among an IdP cluster? Maybe on some scenarios (small number of  
SPs and lots of users) it would be better just to notify all SPs and  
this way no state would have to be stored/shared?

Another feature that I would like is to be able to set an SSO  
lifetime per Application (and force a re-auth at the IdP). I have  
been working on this with Shib1.3 (I sent some emails to the -users  
list but the solution is not really perfect). Since Shib will be  
handling the Auth as well I think this feature should not be too hard  
to implement?

Another problem I'm having now is regarding the load balancing of the  
SPs. Our applications normally have more than one front-end behind a  
VIP and a cluster os Perlbals. What this means is that sticky  
sessions would not be very efficient. So, the redirects from the SPs  
most of the time end up on another SP and some redirects happen that  
could have been avoided. Most of the applications use a database to  
store their sessions so a session cache plugin that used this  
database would be a good option I think. I read in the wiki that  
Shib2.0 would include a cache plugin that supports ODBC, this will  
solve my problem right?

Thanks and keep up the good work. :)

André