Shibboleth Developers

[Scott Cantor <>]

Tom Scavo wrote:
> But since the response doesn't come back through the WAYF, it can't
> implement the IdPDP.  Thus the WAYF is not a Common Domain.  Am I
> missing something?

Why does it have to? About all you're adding is a post-verification that the 
IdP the user picked actually worked; in the abstract that might be useful, 
but I haven't seen much trouble regarding that point. Perhaps others have...

It makes a lot of sense for a group of SPs that have a common trust 
environment to share a WAYF or a CDC (or a DS or whatever). We've said that 
over and over.

The problem I have is that people want *one* WAYF for the whole world or 
they seem to give up because you're never going to get to a seamless 
experience for all SPs. Obviously that's just not going to happen.

I think it makes sense to ask this question: what *exactly* are the problems 
with making every SP responsible for this? I'm not saying there aren't 
problems, but what are they and to what extent can they actually be solved 
for more than a particular small group of SPs that one contrives?

For example, pick our Wiki, J-STOR, ScienceDirect, and Microsoft's software 
discount thing (sorry, can't recall the name). I don't see how a solution 
involving a WAYF, CDC, DS, or proxy helps them.

I can imagine some hinting techniques that might help in conjunction with a 
bunch of WAYF/DS things, as long as we're prepared to recover when the hint 
is wrong, but I don't see how that helps if the hint just won't be there all 
the time.

-- Scott