Shibboleth Developers

[Asa Hardcastle <>]

IIW is a good opportunity to show that SAML2 is a powerful force in  
SSO and beyond.   OpenID will be everywhere.  Cardspace will be all  
over it (maybe).  I'd like us to have a killer demo, but I can't do it  
alone.


Here is a brief description of what I'd like to show at IIW.

COMPONENTS:

ECP Firefox Plugin
SAML2 SP - a photo sharing site or something fun (based on ZXID)
ID-WSF 2.0 Client Bindings (Based on OpenLiberty)
SAML2 IdP (would be nice if this could be both Shib and Symlabs)
OpenID IdP (who knows from where)
ID-WSF WSP, Discovery, People Service, Personal Profile (Symlabs)


DEMO:

* ECP login, selecting an IdP

* ID-WSF Disco EPR sent through the SAML2 Assertion  (automatic in  
Symlabs, requires glue in Shib, but since OpenLiberty is written using  
OpenSAML code, should be easy to create a mechanism to pull an EPR  
from symlabs ID-WSF and place it in the Shib response )

* photo sharing application (sp) uses people service to manage  
identities and sharing and profile.

* sp can share access (private, non-trivial) through ID-WSF.

* share access with OpenID users (would be nice to demonstrate the  
differences in privacy, ease of use, security, etc.  One primary  
difference would be the inability to bootstrap into ID-WSF)

* allow for an OpenID user to "upgrade" into the SAML2/ID-WSF  
environment, obtaining an ID.



There is a lot to do here.  The missing pieces from Shibboleth IdP are:

>> ECP Support (honoring PAOS AuthnRequest, sending a login panel or  
whatever, upon success sending a AuthNResponse) - PJ is willing to  
help, but it seems like this would be a relatively simple thing to add  
by someone who knows the code well.

>> ID-WSF Support - a simple start could be simply making a query  
through a SOAP channel upon SSO to obtain - given the location in the  
code where this insertion might occur, I could add this code.


In the future it would be nice to model an ECP authentication  
procedure that could all happen behind the scenes (through an ECP  
plugin).  Basically it would be 100% SOAP/XML, login would be like  
magic.  We could then present this method to Liberty for inclusion in  
a future ECP specification.


thanks,

asa

--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7

On Mar 25, 2008, at 4:37 PM, Peter Pritchard wrote:

> Hey all,
>
> Just wanted to drop a line into the mailing list, that I am  
> investigating adding support within Shib 2.0 IdP for the SAML 2.0/ 
> ECP Profile.
>
> I have built a Firefox plugin, which claims to be ECP-compliant ...  
> but need to show interoperability with IdP's of all flavors.
>
> My co-worker, Asa, technical lead of the OpenLiberty ID-WSF client  
> library, is hoping to do a demo at the IIW this May.  It would be  
> nice if we could show Shib2 IdP bootstrapping an SP into an ID-WSF  
> environment using the ECP Firefox Plugin.
>
> If anyone has anything to throw into the ring, I'd certainly  
> appreciate any comments, suggestions or assistance.
>
> - Peter Pritchard