Shibboleth Developers

[Brett Lomas <>]

On Wed, 2007-05-30 at 12:16 -0400, Scott Cantor wrote:
> > Is this something useful, is there a better way to do this that I am
> > missing and if I did this would it be something that could be included
> > in the Shibboleth 1.3 distribution (and even in the Shib 2.0)?
> 
> I don't think we'd be too interested in including non-compliant work-arounds
> for any implementations other than older Shibboleth versions, and 2.0 will
> not include even that (that I know of anyway, there might be one parser bug
> workaround but that's all).
> 

Hi Scott thanks for the reply,

I would tend to agree with you if it is not compliant, but I thought
(and I am likely to be wrong here) that the SAML specification was for
the target parameter to be in all uppercase going into and out of the
ITS (according to the SAML 1.1 Bindings and Profiles on page 20),
although it does say recommended though.

It is also part of the spec that the ACS must use the issuer in the
assertion? I am asking this because if it is I will request a bug fix
etc from BEA.

It is likely that I am going to have to patch our copy of the Shibboleth
IdP as the easier way (less inertia!) to get our Shibboleth working with
WebLogic, but I might just extend the SSO handler and provide it as a
different Servlet.

> These are bugs in whatever SAML code (and the Shibboleth profile code) that
> you're using and should really be fixed there, especially that SAML profile
> behavior, which is simply not allowed by the standard. Not even the US govt
> ever went that far.

> What is the code anyway? Does WebLogic support SAML or something?
> 

Yea, WebLogic does support SAML 1.1 (both as an Asserting and Relying
Party) but it is not to the same extent as Shibboleth. WebLogic uses it
as a single domain SSO unlike Shibboleth's federated domain model.

I have also (for your information) noted (from the exceptions) that
they're using the Open SAML 1.1 library!

> -- Scott
> 
>