Shibboleth Developers

["Scott Cantor" <>]

> I thought SAML 2.0 already supported this kind of operation? (eg.
> SAMLMeta2 section 4.2.2.2)

DDDS isn't widely supported by software and organizations don't provide
enough access to their DNS to make it viable anyway. I doubt that any
commercial SAML products support it.

> My own opinion - for what it's worth, probably not a lot - is that
> Ping's proposal throws the baby out with the bathwater. Yes, it's
> possible to reduce SAML to something that acts a lot like OpenID - but
> do you really want it to?

I assume you're talking about the actual basis of metadata exchange they've
talked about since discovery has no impact on the security of the system
(privacy is another matter). That's really orthogonal.

If somebody wants to deploy things with no verification of metadata, or
self-signing, or whatever, that's their prerogative. I don't find it
compelling or very useful, but that's ok. I still think the software should
support it if that's what people want, and whatever OpenID's proponents
claim, SAML has always permitted it. We're just trying to get products to
walk the walk.

The key (pun intended) is to get to a place where the metadata is the *only*
runtime determinant. I don't care what the schema is (SAML, WS-Federation,
XRI/XDI stuff), what matters is getting the PKI the heck out of there so
that the software has a prayer of both working and being understandable.
Then people can argue over how to get the metadata and trust it to their
heart's content. Make it dynamic, static, deliver it on the backs of
turtles, I don't care.

Ping has their own terminology, but that's my working definition of dynamic
federation.

-- Scott