Shibboleth Developers

["Josh Howlett" <>]

I only have one observation, which is perhaps somewhat trivial. The term
"Discovery service" closely resembles some of the nomenclature
("Discovery Service") already established within ID-WSF. This might
conceivably cause some confusion.

josh.

> -----Original Message-----
> From: Scott Cantor 
> [mailto:]
>  
> Sent: 30 January 2007 18:58
> To: 
> 
> Subject: IdP discovery protocol news
> 
> I prepared an OASIS draft from Rod's initial document and 
> uploaded it as
> shown:
> http://www.oasis-open.org/archives/security-services/200701/ms
g00037.html
> 
> There was a bit of discussion today about it and they want to 
> take it forward in OASIS. There was particular concern about 
> products not working with Shib sites if we do this, and I did 
> note that it was designed to help multi-protocol sites, which 
> of course all the products have to handle.
> 
> The draft I submitted includes a metadata extension that is 
> designed to limit the delivery of IdP data to authorized 
> endpoints. This isn't quite the same thing as the Shibboleth 
> SessionInitiator, but it's likely that it will be used by us 
> in that way.
> 
> I have received some feedback already from one vendor that 
> makes the protocol a little more complex, but it's worthwhile 
> feedback and I'm working to keep the complexity to a minimum 
> while still improving it.
> 
> I have also verified that the "Home Realm Discovery" thing 
> that MS/IBM published in WS-Federation 1.1 can be "spoofed" 
> with this proposal such that you could drive a response to 
> such a product (ADFS 2.0?) from this protocol, which is good, 
> I guess. For due diligence, their proposal is not usable by 
> itself for Shibboleth, not least because you can't 
> communicate the identity of the SP and you can't include a 
> passive flag.
> 
> If there's feedback from anybody else on this, please submit 
> it here or to the SSTC public comment site.
> 
> A second draft is going to be done by me that includes more 
> expository text, this was just a bare bones version to get 
> the protocol in front of the TC.
> 
> -- Scott
> 
> 
>