Shibboleth Developers

["Josh Howlett" <>]

>  > The first work item is 'unified Single Sign On' (uSSO). 
> This uses  > EAP-based network authentication (for example, 
> over PPP, PPPoA, PPPoE,  > IEEE 802.1X, IEEE 802.11i etc) to 
> (1) transparently sign the user into  > their IdP and (2) 
> establish a discovery context with a WAYF or Discovery  > 
> Service. I have a draft spec in case anyone is curious and 
> some interest  > from a couple of vendors in implementing it.
> 
> I'm curious about seeing the spec, thanks.

I'll mail it to you privately.
 
> 
>  > While uSSO mitigates some of the 'user experience' 
> problems associated  > with sign-on and discovery, I regard 
> it more as a work-around rather  > than a proper fix, which I 
> believe necessitates a new Web SSO profile  > that 
> incorporates discovery explicitly. I have some rough ideas as 
> to  > how Kerberos might be used to realise this.
> 
> for the vanila-browser case?

Perhaps.

It's been recently pointed out to me that Negotiate (SPNEGO over HTTP),
which all modern browsers support, is a one-shot protocol and so does
not support channel bindings or mutual authentication of the GSS
mechanism (Kerberos, in this case). Fixing this would be quite an
effort.

Whether or not we care enough about the lack of these properties, in
this particular context, is another question. The idea of automagic IdP
discovery (bootstrapped by a discovery cue in service ticket) is
sufficiently appealing to me that I'm willing to hold my nose while I
investigate some more.

josh.