Shibboleth Developers

["Scott Cantor" <>]

>    the more I look for single-log-out solutions tested and
> properly-working with shibboleth, the more I find out
> * dated documents saying that shib2 will support SAML2.0 single logout
> specifications and
> * recent documents/posts saying it won't be supported before the first
> official release.

SP does, IdP doesn't. By "does", I just mean there's lots of barely tested
code to do SLO and do application notifications and all kinds of barely
documented things. We got it to work with, I think, Ping's IdP a long while
back, but since the developers can't test other products and very few people
have done significant testing of that nature, there isn't much I can say.
Testing SLO is almost always artificial and doesn't address the problem of
what users do vs. what people like to pretend they do.

> Making use of an external SSO mechanism (pubcookie, CAS, etc) would
> result in a more difficult to deploy/maintain architecture whereas we
> chose shibboleth to simplify federations' resources management.
> Can you make any prediction for a shibboleth-only solution?

I don't see any connection between SLO and using an external SSO other than
it will in most cases make SLO harder, not easier. In some cases impossible.

> Based on your experience and thinking about this inherently complex
> problem, how long could it take for a completely coded software to
> become a (almost-)fully-functional one?

I expect the initial SP release to be full of SLO bugs. If it works well by
the second point release, I'd be satisfied.

-- Scott