Skip to Content.
Sympa Menu

shibboleth-dev - RE: Questions about shibboleth

Subject: Shibboleth Developers

List archive

RE: Questions about shibboleth


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: Questions about shibboleth
  • Date: Thu, 13 Sep 2007 14:40:32 -0400
  • Organization: The Ohio State University

> 1. Is there a developer's guide/resource available. After shibboleth is
> setup, how can a developer leverage it in existing java based
> applications?

Generally, you don't. Write your application to obtain attribute information
from REMOTE_USER or other headers using names you're comfortable with, and
that's it.

If you don't want to or can't rely on the software for session management,
isolate the app parts that involve authentication UI and invoking it to the
edges and you can glue it to Shibboleth using some simple redirects.

The goal is not to tie your application to Shibboleth, to the extent that
it's possible to avoid it. We don't want to lock you in.

> 2. Can I have shibboleth and adfs in the same federation? I have seen
> examples of shibboleth and adfs interoperate, but never in the same
> federation.

There's no such thing as a federation to the software, so the answer is not
a technical one. If your federation is supplying all of your metadata, then
it's up to the federation to supply metadata advertising ADFS support. If it
doesn't, then you'd be on your own to support and deploy it.

Discovery complicates any multi-protocol deployment, and if you hand off
control to a WAYF, you're done, unless you change it to support ADFS and/or
handle protocol translation.

The 1.3 SP has rudimentary capabilities to handle protocol selection, but
works better if the IdP in question only supports one or the other. The 2.0
SP will have a somewhat more flexible protocol precedence mechanism, but it
still can't deal with discovery by itself.

> 3. In the end I would like to accomplish the following: login into a
> shibboleth aware application and then try to use a adfs based application
> without having to log back in (and vice-versa). Is this possible? If so,
> is there a document I can walkthrough to figure this out?

That's not even a Shibboleth issue, it's a "how you do authentication"
issue. SSO in 1.3 is a function of the login mechanism, not the IdP or which
protocol you use later.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page