Shibboleth Developers

["Diego R. Lopez" <>]

On 15 Feb 2008, at 22:09, Tom Scavo wrote:

> Is the Shib 1.3 IdP involved in this exchange an ordinary IdP, or is
> it extended to support the eduGAIN WebSSO profile in some way?

This is what the eduGAIN profile says about WebSSO using SAML 1.1:

> For those eduGAIN BEs configured to use SAML 1.1, Web SSO procedures  
> MUST comply with those described by the Shibboleth Web SSO Browser/ 
> POST profile (as described in [SAMLBind] and [ShibArch]), and  
> according to the following rules:
> ·      The providerId parameter used in the GET request to the H-BE  
> SHALL contain the unique identifier of the requesting R-BE. It MUST  
> be coded according to the structure defined for BE identifiers in  
> the guidelines of section 3.1.
> ·      The SAML response sent by the H-BE SHALL comply with the SAML  
> 1.1 mapping of an eduGAIN AuthenticationResponse as described in the  
> corresponding section of this document.
> ·      If an error occurs, the H-BE MUST return a SAML <Response> in  
> accordance with the SAML Browser/POST profile and coded according to  
> the rules described for the SAML mapping of eduGAIN  
> AuthenticationResponse with error results.

So an ordinary Shib IdP should be able to connect to eduGAIN, as long as
it uses a certificate issued according to eduGAIN rules. We have
arlready demonstrated interoperability in the other direction: the
CO-Manage demo site at  http://comanage.internet2.edu/ accepts identity
assertions coming from eduGAIN IdPs.

Be goode,


--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez

Red.es - RedIRIS
The Spanish NREN

e-mail: 

jid:    

Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------