shibboleth-dev - RE: Shibboleth Beta and WAYF/DS
Subject: Shibboleth Developers
List archive
- From: <>
- To: <>
- Subject: RE: Shibboleth Beta and WAYF/DS
- Date: Fri, 5 Oct 2007 23:14:53 -0400
The wording of my question regarding the EntityID for the WAYF was certainly
horrific. I was referring to a comment I noticed in the shibboleth2.xml
configuration file. Clearly I misinterpreted the comment:
<!-- An example using an old-style WAYF, which means Shib 1 only unless an
entityID is provided. -->
I interpreted that to mean the old-style WAYF could support Shib 2 if an
entityID was provided, but I had no idea how to do that.
________________________________
From: Scott Cantor
[mailto:]
Sent: Fri 10/5/2007 8:04 PM
To:
Subject: RE: Shibboleth Beta and WAYF/DS
> Has anyone been testing the Shibboleth Beta with any WAYF/DS
> applications? I am curious if there is a good starting point on using
> them and properly configuring the SP (and presumably the WAYF/DS) for
> pure SAML2 based transactions. I am most familiar with the Switch WAYF,
> but I am open to other options if it is not SAML2 viable.
No WAYF I know of would handle SAML 2, it will just dead end you. The DS in
subversion should be usable, AFAIK, and is protocol-independent.
> I read through the Shibboleth SP, and I was not entirely sure what was
> meant by creating an EntityID for the WAYF, are there examples of SAML2
> Metadata for a WAYF?
Don't know what you mean exactly. There's no metadata like that. There's
some metadata for the SP involved in authorizing a DS to return the IdP name
to it, but it's not metadata about the DS.
> Additionally, would a WAYF configured like that be
> compatible with non-Shibboleth IDPs (or SPs)?
A WAYF is a Shibboleth protocol proxy. A DS is not but has no support from
any other products that I know of. All SAML products treat discovery as out
of scope and typically assume a small set of IdPs and/or use the common
domain cookie
Using them with the SP is straightforward, they simply run as "catch-all"
SessionInitiators that trap session requests that don't contain an entityID
to tell it what IdP to use. By definition, you'd generally just configure
either a WAYF or a DS, the latter if you expect SAML 2 support, the former
for legacy compatibility.
-- Scott
<<winmail.dat>>
- Shibboleth Beta and WAYF/DS, Jeff.Krug, 10/05/2007
- RE: Shibboleth Beta and WAYF/DS, Scott Cantor, 10/05/2007
- RE: Shibboleth Beta and WAYF/DS, Jeff.Krug, 10/05/2007
- RE: Shibboleth Beta and WAYF/DS, Scott Cantor, 10/05/2007
- RE: Shibboleth Beta and WAYF/DS, Jeff.Krug, 10/05/2007
- Re: Shibboleth Beta and WAYF/DS, Bernd Oberknapp, 10/20/2007
- RE: Shibboleth Beta and WAYF/DS, Scott Cantor, 10/05/2007
Archive powered by MHonArc 2.6.16.