Shibboleth Developers

[Peter Williams <>]

why not go the whole hog, and have an openldap server front the 
assertion/attribute store, using its data store plugin to talk to the 
existing URL api?

This gets passed the whole silly web interface limits (why is interent2 
willing to tolerate that stuff?), and formalizes the interface between app 
and local store with a standard interface.

A variant of this is what folks did in the 1990-era PKI-aplications with 
certs, and trust, and multirooted cert chains. They stored the persistent 
cache of certs, and crls, keys, control structures, and trust points in a 
MIB. UA and MTA apps interfaced to the cache using SNMP (or a co-resident 
SNMP API). The nature of the MIB allows for many instances, different 
schemas, and: "claim mapping". This idea of using the S-MIB as a local 
truststore still has relics around, in the higher assurance HSM appliances 
one buys. You have  to talk to it over SNMPv3, with its own security services 
applied, when the server supports a frontend cluster,of course.

________________________________________
From: 

 
[]
Sent: Wednesday, September 24, 2008 11:34 AM
To: 

Subject: RE: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap

I read through it, and everything there looked good to me.

One additional thing I thought might be nice would be an extension of the 
assertion exporting mechanism in the Shibboleth SP.  The current method for 
exporting the entire SAML Assertion is nice and has been an excellent method 
for getting around the 8K barrier that crops all over the place (AJP, 
mod_proxy, IIS, etc.).  We have used that extensively in our federation, 
since we transmit very large SAML Assertions (well over 8K, and frequently 
over 20K).  The feature that I thought might be nice would be an additional 
feature called attribute exporting, where each attribute is exported as a URL 
for querying instead of as a value (this could either be done in bulk or on 
an individual attribute basis).  This way if a single attribute could be 
larger than 8K there would be a means to get it without either parsing the 
full SAML Assertion or relying on the environment to be able to handle larger 
than 8K.

The additional authentication support on the IdP portion of the Roadmap looks 
very promising, and I am excited to see how that progresses.

-----Original Message-----
From: 

 
[mailto:]
Sent: Tuesday, September 23, 2008 11:11 AM
To: 
;
 

Subject: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap

The Shibboleth team has made available its current thinking about the
next point release of the Shibboleth software. This information is
available at:

https://spaces.internet2.edu/display/SHIB2/Shibboleth+2.2+Roadmap

The team is seeking comments and feedback. The first section of the
document identifies specific functionality, and the priorities
currently assigned by the team. The second section describes several
areas where we are seeking community input before possibly beginning
any implementation effort. Note that there are two sub-pages
providing additional detail: one on Consent Release of Attributes,
and one on Information Card Support.

Please send your comments to the shibboleth-dev AT internet2.edu
mailing list. Directions for subscribing to this list are available
at http://shibboleth.internet2.edu/lists.html .

The Shibboleth team would like to thank the community for its
contributions, comments, and feedback over the years. Please let us
know what you think of our current plans.