Shibboleth Developers

["Peter Williams" <>]

Discussion on the OpenID “general” mailing list suggests that it would be a useful experiment to let OpenID communities and Shib communities interwork as a technical level. As probably the most vocal party on the topic of OpenID & SAML interoperability, I am seeking an _expression_ of support from anyone who would like to technically assist me bridge my existing Openid2/SAML gateway, to Shib!

 

The Rapattoni OpenID websso infrastructure is tailored for the US Realtors –a diverse group of people managed in a thousand jurisdictions. The infrastructure now includes experimental gateway between endpoints performing the OpenID protocol and endpoints performing the SAML1/SAML2 protocol. Several authentication methods have been deployed (military smartcards, RSA One Time Passwords, anti-Phishing user interfaces, SMS and voice callbacks). Using these capabilities, demonstrations have already been mounted allowing the WebSSO bridge to create the illusion of an OpenID logon to Google’s SAML2-enabled Google Apps sites. Similarly, SAML2 IDP websites have been demonstrated to login to sites armed only with OpenID protocols. With suitable technical wizardry, I’ve little doubt that we can now bridge the gateways SAML1.1 endpoints to Shib endpoints – given Shib is a profile of the SAML1.1 standard.

 

If we can accomplish the above, two worthwhile goals will have been met: (1) the grassroots-centric OpenID standards process will gain direct access to the federation trust modeling work perfected in Shib, and (2) if the approach were to be adopted by the Shib community, academic users with Shib credentials would be able to exploit them on the fast emerging OpenID-enabled sites.

 

Peter.