shibboleth-dev - RE: IdP discovery protocol news
Subject: Shibboleth Developers
List archive
- From: "Josh Howlett" <>
- To: <>
- Cc: "Josh Howlett" <>
- Subject: RE: IdP discovery protocol news
- Date: Sat, 14 Apr 2007 21:59:46 +0100
I only have one observation, which is perhaps somewhat trivial. The term
"Discovery service" closely resembles some of the nomenclature
("Discovery Service") already established within ID-WSF. This might
conceivably cause some confusion.
josh.
> -----Original Message-----
> From: Scott Cantor
> [mailto:]
>
> Sent: 30 January 2007 18:58
> To:
>
> Subject: IdP discovery protocol news
>
> I prepared an OASIS draft from Rod's initial document and
> uploaded it as
> shown:
> http://www.oasis-open.org/archives/security-services/200701/ms
g00037.html
>
> There was a bit of discussion today about it and they want to
> take it forward in OASIS. There was particular concern about
> products not working with Shib sites if we do this, and I did
> note that it was designed to help multi-protocol sites, which
> of course all the products have to handle.
>
> The draft I submitted includes a metadata extension that is
> designed to limit the delivery of IdP data to authorized
> endpoints. This isn't quite the same thing as the Shibboleth
> SessionInitiator, but it's likely that it will be used by us
> in that way.
>
> I have received some feedback already from one vendor that
> makes the protocol a little more complex, but it's worthwhile
> feedback and I'm working to keep the complexity to a minimum
> while still improving it.
>
> I have also verified that the "Home Realm Discovery" thing
> that MS/IBM published in WS-Federation 1.1 can be "spoofed"
> with this proposal such that you could drive a response to
> such a product (ADFS 2.0?) from this protocol, which is good,
> I guess. For due diligence, their proposal is not usable by
> itself for Shibboleth, not least because you can't
> communicate the identity of the SP and you can't include a
> passive flag.
>
> If there's feedback from anybody else on this, please submit
> it here or to the SSTC public comment site.
>
> A second draft is going to be done by me that includes more
> expository text, this was just a bare bones version to get
> the protocol in front of the TC.
>
> -- Scott
>
>
>
- RE: IdP discovery protocol news, Josh Howlett, 04/14/2007
- RE: IdP discovery protocol news, Scott Cantor, 04/14/2007
Archive powered by MHonArc 2.6.16.