Shibboleth Developers

["Josh Howlett" <>]

> I find their approach to discovery even more interesting.  I 
> don't think an SP can derive a user's IdP from their e-mail 
> address in general.

I thought SAML 2.0 already supported this kind of operation? (eg.
SAMLMeta2 section 4.2.2.2)

>  Suppose, however, the SP obtains a valid 
> e-mail address from the user directly and then persists a 
> mapping from this e-mail address to a persistent identifier 
> (ePPN or ePTID) asserted by the IdP.  Then the SP *can* 
> determine the user's IdP from an input e-mail address.
> It's kinda like OpenID's approach to discovery, but using 
> e-mail addresses instead of URLs (which may even be more 
> palatable to users).

My own opinion - for what it's worth, probably not a lot - is that
Ping's proposal throws the baby out with the bathwater. Yes, it's
possible to reduce SAML to something that acts a lot like OpenID - but
do you really want it to?

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG