Shibboleth Developers

[Jeff Hodges <>]

[apologies for cross-post, but want to get to the union of these two lists]

ScottC tells me that what he has heard from this community is that everybody 
wants "invisible SSO", i.e. no prompts materialized to the user other than any 
ones necessary for credential entry (e.g. username & password). Of course, such 
a position has implications for IDP discovery approaches such as that built 
into OpenID.

I've groveled through chunks of the discussions on these lists over the past 
couple of years haven't found clearly articulated positions along the lines of 
that expressed above, but have found Scott's challenge(s) (one is attached below).

As IDP discovery continues to be a key aspect of single signon protocol design, 
and has figured non-trivially in our work on SAMLv2, Liberty, etc, not to 
mention being a defining feature of OpenID, I'm quite interested in hearing the 
perspectives of the deployers/implementors in this community.

thanks,

=JeffH


-------- Original Message --------
Subject:        RE: WAYF
Date:   Fri, 12 Jan 2007 14:17:52 -0400
From:   Scott Cantor 
<>
Reply-To:       
<>
To:     
<>

 > > OpenID works by having the user enter
 > > their OpenID (or in the future their
 > > IdP itself) at the SP. I would strongly
 > > urge people to start considering that
 > > option. That's why IdPs have names.
 >
 > What's the difference between this and the notion of embedding the
 > WAYF in the SP (which you've also favored)?

None, really, but embedding something with a complicated UI is a bit more to
take on then just having a text box in a form that points at
/Shibboleth.sso/Login

I'm looking at it this way...I can't get people to change their error pages.
What are the chances they will customize and make effective use of a WAYF
applet, which requires real work?

Why not prove the simplest solution fails before making work for ourselves?
Maybe the OpenID guys are just lazy, but I don't think it's that cut and
dried.

-- Scott