Shibboleth Developers

["Scott Cantor" <>]

> I think we agree that the list should be so small that it only contains
> the entries of organizations whose users in the end can access this SP's
> resources. So, if a federation has 35 IdPs and only 10 of them shall be
> able access something, only these 10 shall be displayed in the drop-down
> list.

I didn't realize you had a way to filter it. I guess that makes more sense,
but the multiple federation issue remains a dealbreaker for me.

> To what exactly are you referring to when speaking about the trivial
> WAYF/DS that already is bundled with the SP? Just a page with links to
> /Shibboleth.sso/Login?entityId=XY or the template based
> SessionInitiator? Can you provide an example site that uses something
> like this?

The template, but it amounts to the same thing. But if you're suggesting
that you expect the SP to drive the WAYF by providing the list of IdPs to
display, then it's basically equivalent. It's just a form that posts the
selected entityID back to the same location.

I had a site using it during a demo I was giving, but it's not running at
the moment.

> Although there is a trend for more and more interfederation SPs, I would
> assume that more than 90% of all Service Provider in European
> federations are still part of one federation only.

That's because interfederation doesn't exist yet. Once it does, that ends.
If it doesn't happen, federation will eventually turn into something else.

> And even if they are
> part of multiple federations, the number of IdPs of other federations
> probably still would be so small that you can easily add them also to
> the embedded wayf as is shown on https://kelimutu.switch.ch.

Not in a world of user consent.

I don't have anything against this, but I don't think it solves the more
fundamental problems that make a centralized approach unworkable. It's
probably a really good way to do it given that approach.

-- Scott