Shibboleth Developers

[Lukas Haemmerle <>]

>> Not right now but in theory yes :) I'm assuming that in most cases the
>> number of different Home Organizations that should get access is
>> reasonably small so that you wouldn't have to categorize the IdPs also
>> into different federations. This would require the user to interact
>> twice with some UI element and therefore also decrease usability slightly.
> 
> Then I'm confused. With a centralized WAYF (and that's still what this is),
> you lose control over which IdPs should be displayed. You generally have to
> display them all.

Yes, you are still using the centralized WAYF although the user never
should see it because the embedded WAYF sends you there with the proper
arguments that will redirect you transparently to the selected IdP.
And because the embedded WAYF can locally be configured with Javascript,
this allows you to exclude certain categories/IdPs.
See Javascript source code of https://kelimutu.switch.ch/


> When you want control over them, that's when you do your own. And if the
> list is so small that you don't need to categorize them, doing your own is
> trivial (in fact the SP comes with that capability now).

I think we agree that the list should be so small that it only contains
the entries of organizations whose users in the end can access this SP's
resources. So, if a federation has 35 IdPs and only 10 of them shall be
able access something, only these 10 shall be displayed in the drop-down
list.

To what exactly are you referring to when speaking about the trivial
WAYF/DS that already is bundled with the SP? Just a page with links to
/Shibboleth.sso/Login?entityId=XY or the template based
SessionInitiator? Can you provide an example site that uses something
like this?


> Basically, this still seems unworkable for the majority of cases, where a
> single federation is not going to work.

Although there is a trend for more and more interfederation SPs, I would
assume that more than 90% of all Service Provider in European
federations are still part of one federation only. And even if they are
part of multiple federations, the number of IdPs of other federations
probably still would be so small that you can easily add them also to
the embedded wayf as is shown on https://kelimutu.switch.ch.

Lukas

-- 
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
 http://www.switch.ch