Shibboleth Developers

["Scott Cantor" <>]

> I'm pretty much a Kerb noob, so maybe this is a silly question, but
> isn't it the case that this feature would only be usable
> intra-organizationally (unless you wanted to do realm trust
> relationships)?  Not that such a limit makes this unworthy of pursuit,
> but I just want to make sure I understand things correctly.

Yes, it's an enhancement of interest to sites that are using a SSO system
that already supports these features and don't want to lose them if they
chose to deploy Shibboleth in its place.

Arguably, some of the work might be generalizable to exhanging other
security tokens, some possibly federatable, within the SAML framework. One
of the FUD points used by WS-Trust proponents to attack SAML is that the
SAML protocol usually requires the use of SAML assertions. This is true
(aside from the ability to just create new messages that don't), but ignores
the fact that SAML assertions can already wrap any token type.
SubjectConfirmation supports the same kind of meta-protocol for security
constraints that WS-Trust has.

-- Scott