Shibboleth Developers

["Josh Howlett" <>]

Jeff,

> As IDP discovery continues to be a key aspect of single 
> signon protocol design, and has figured non-trivially in our 
> work on SAMLv2, Liberty, etc, not to mention being a defining 
> feature of OpenID, I'm quite interested in hearing the 
> perspectives of the deployers/implementors in this community.

I'm currently engaged in some work in this area.

The first work item is 'unified Single Sign On' (uSSO). This uses
EAP-based network authentication (for example, over PPP, PPPoA, PPPoE,
IEEE 802.1X, IEEE 802.11i etc) to (1) transparently sign the user into
their IdP and (2) establish a discovery context with a WAYF or Discovery
Service. I have a draft spec in case anyone is curious and some interest
from a couple of vendors in implementing it.

While uSSO mitigates some of the 'user experience' problems associated
with sign-on and discovery, I regard it more as a work-around rather
than a proper fix, which I believe necessitates a new Web SSO profile
that incorporates discovery explicitly. I have some rough ideas as to
how Kerberos might be used to realise this.

best regards, josh.