Shibboleth Developers

[Jim Fox <>]

In Monday's call I said I'd look into some directions
for the infocard plugin.  They go something like;

1) Different ways to authenticate.

   The extension uses id and password, through JAAS.  Other
   possibilities include Kerberos, X509 certificate, and
   self-issued card.

   a. A kerberos authn would give the user's principal name
      directly.  Not clear to me what percentage of
      our population has kerberos on their workstations.

   b. A certificate authn gives the IdP the certificate,
      from which, if the idp was sufficiently in cahoots
      with the issuing CA, it could directly extract the
      principal name.  This could be a security improvement,
      as one could be stored on a USB token and used like a key.

   c. The self-issued card gives the IdP the equivalent of
      a ePTID.  The IdP would have to look up the user's
      principal name from a database - could be LDAP.
      This might be a convenience to the user, but most
      users would likely not protect their self card with
      a password - making a lost laptop more likely a lost
      identity.

2) Allow infocard authn to the IdP.

   The obvious way to do this at Univ of Washington is to
   put an infocard-shib SP on our pubcookie servers. That
   way all university SSO login can be done with infocard,
   not just the shib ones.  However, that wouldn't work
   with non-apache sso sites.

   Another possibility is to allow a shib IdP to request an
   infocard login directly, as an alternative to the username
   and password form it comes with now.


Jim