Skip to Content.
Sympa Menu

shibboleth-dev - RE: ECP Profile compliance for Shibboleth 2.0

Subject: Shibboleth Developers

List archive

RE: ECP Profile compliance for Shibboleth 2.0


Chronological Thread 
  • From: "Peter Williams" <>
  • To: <>
  • Subject: RE: ECP Profile compliance for Shibboleth 2.0
  • Date: Thu, 27 Mar 2008 06:53:19 -0700
  • Importance: normal



-----Original Message-----
From: Asa Hardcastle
<>
Sent: Thursday, March 27, 2008 5:50 AM
To:


<>
Subject: Re: ECP Profile compliance for Shibboleth 2.0

IIW is a good opportunity to show that SAML2 is a powerful force in
SSO and beyond. OpenID will be everywhere. Cardspace will be all
over it (maybe). I'd like us to have a killer demo, but I can't do it
alone.


Here is a brief description of what I'd like to show at IIW.

COMPONENTS:

ECP Firefox Plugin
SAML2 SP - a photo sharing site or something fun (based on ZXID)
ID-WSF 2.0 Client Bindings (Based on OpenLiberty)
SAML2 IdP (would be nice if this could be both Shib and Symlabs)
OpenID IdP (who knows from where)
ID-WSF WSP, Discovery, People Service, Personal Profile (Symlabs)


DEMO:

* ECP login, selecting an IdP

* ID-WSF Disco EPR sent through the SAML2 Assertion (automatic in
Symlabs, requires glue in Shib, but since OpenLiberty is written using
OpenSAML code, should be easy to create a mechanism to pull an EPR
from symlabs ID-WSF and place it in the Shib response )

* photo sharing application (sp) uses people service to manage
identities and sharing and profile.

* sp can share access (private, non-trivial) through ID-WSF.

* share access with OpenID users (would be nice to demonstrate the
differences in privacy, ease of use, security, etc. One primary
difference would be the inability to bootstrap into ID-WSF)

* allow for an OpenID user to "upgrade" into the SAML2/ID-WSF
environment, obtaining an ID.



There is a lot to do here. The missing pieces from Shibboleth IdP are:

>> ECP Support (honoring PAOS AuthnRequest, sending a login panel or
whatever, upon success sending a AuthNResponse) - PJ is willing to
help, but it seems like this would be a relatively simple thing to add
by someone who knows the code well.

>> ID-WSF Support - a simple start could be simply making a query
through a SOAP channel upon SSO to obtain - given the location in the
code where this insertion might occur, I could add this code.


In the future it would be nice to model an ECP authentication
procedure that could all happen behind the scenes (through an ECP
plugin). Basically it would be 100% SOAP/XML, login would be like
magic. We could then present this method to Liberty for inclusion in
a future ECP specification.


thanks,

asa

--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7

On Mar 25, 2008, at 4:37 PM, Peter Pritchard wrote:

> Hey all,
>
> Just wanted to drop a line into the mailing list, that I am
> investigating adding support within Shib 2.0 IdP for the SAML 2.0/
> ECP Profile.
>
> I have built a Firefox plugin, which claims to be ECP-compliant ...
> but need to show interoperability with IdP's of all flavors.
>
> My co-worker, Asa, technical lead of the OpenLiberty ID-WSF client
> library, is hoping to do a demo at the IIW this May. It would be
> nice if we could show Shib2 IdP bootstrapping an SP into an ID-WSF
> environment using the ECP Firefox Plugin.
>
> If anyone has anything to throw into the ring, I'd certainly
> appreciate any comments, suggestions or assistance.
>
> - Peter Pritchard
>




Archive powered by MHonArc 2.6.16.

Top of Page