Shibboleth Developers

["Scott Cantor" <>]

> Being fairly new to the whole SAML scene (3 weeks at best) I'm still not
> entirely sure what I'm doing with it and am kind of throwing together code
> based on what I'm reading.  So, yea does my response look OK?

It looked basically ok, but if you want to validate it, there are plenty of
tools for that better than my eyeballs.

> Also, it would seem I might have some kind of misunderstanding about
> Moodle's role as the SP.

I think so. Applications shouldn't be SPs, they should rely on the web
server, and then you deploy an SP of your choice for your web server.
 
> My understanding was that the Shib authn code provided allowed Moodle to
act
> as the SP.

I think the code probably just bypasses Moodle's existing control over
authentication and convinces it to stop.

> But this seems to indicate that I'll need a SP of my own to get
> Moodle working?  If there's no SP for Moodle then that could be my whole
> problem, hah! :-)  We have a MoodleRooms account, because our clients that
> use Moodle all host on MoodleRooms.  That said, MoodleRooms may have a
Shib
> SP running on their servers, but as for my test environment, I certainly
> don't.

I seriously doubt they have an SP running, but I couldn't say for sure.

> That also means, that I could very well just not worry about SAML
> 1.1 right now and start off with 2.0 and we'll support 1.1 later when we
> find the need to.

As Bob said, it depends what you need. Today Shibboleth sites don't have
SAML 2 support rolled out, and that will take a while. All I meant was that
you probably don't want to clean room an IdP that only supports the old
protocol.

Honestly, clean rooming it at all is just a mistake. Yes, you can build a
fairly simple idP if you toss half the feature set overboard, but honestly
it's a giant waste of resources. Just MHO.

-- Scott