Shibboleth Developers

["Scott Cantor" <>]

> Has anyone been testing the Shibboleth Beta with any WAYF/DS
> applications?  I am curious if there is a good starting point on using
> them and properly configuring the SP (and presumably the WAYF/DS) for
> pure SAML2 based transactions.  I am most familiar with the Switch WAYF,
> but I am open to other options if it is not SAML2 viable.

No WAYF I know of would handle SAML 2, it will just dead end you. The DS in
subversion should be usable, AFAIK, and is protocol-independent.

> I read through the Shibboleth SP, and I was not entirely sure what was
> meant by creating an EntityID for the WAYF, are there examples of SAML2
> Metadata for a WAYF?

Don't know what you mean exactly. There's no metadata like that. There's
some metadata for the SP involved in authorizing a DS to return the IdP name
to it, but it's not metadata about the DS.

> Additionally, would a WAYF configured like that be
> compatible with non-Shibboleth IDPs (or SPs)?

A WAYF is a Shibboleth protocol proxy. A DS is not but has no support from
any other products that I know of. All SAML products treat discovery as out
of scope and typically assume a small set of IdPs and/or use the common
domain cookie

Using them with the SP is straightforward, they simply run as "catch-all"
SessionInitiators that trap session requests that don't contain an entityID
to tell it what IdP to use. By definition, you'd generally just configure
either a WAYF or a DS, the latter if you expect SAML 2 support, the former
for legacy compatibility.
 
-- Scott