Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap


Chronological Thread 
  • From: Peter Williams <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap
  • Date: Wed, 24 Sep 2008 12:59:50 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

Interesting. I'm ever more convinced that the Shib SP is persistently
undersold in terms of its capabilities.

Did anyone do an interworking trial already with PingFederate as the IDP?

I believe PingFederate does dynamic generation of the metadata from the
endpoint, in the limited sense that the signature is generated and attached
on the fly - so the latest certs always percolate neighbor to
neighbor...lampson style. (Imagine an EIGRP update across 300 routers, and
its ultra fast failover/convergence model being applied to cert chains and
revocation! (hint to UK JaNET, if anyone is listening)

if noone other that developers have done this, if anyone can stand it, i'll
offer to go get my Shib2 SP out of the VM, and try a trial or two. But I'll
need support with the SP config on this particular topic, assuredly. Is
Shib2.0 the right platform, or do I need to rebuild Shib SP 2.1?

________________________________________
From: Scott Cantor
[]
Sent: Wednesday, September 24, 2008 12:43 PM
To:

Subject: RE: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap

> any chance this could align with the dynamic metadata notions that Ping
> Federate SAML2 server actually supports? ...from an user's email id
entered
> at an RP site, the RP can resolve (openid-style) to a URL at which
endpoint
> the entity's (institutional) metadata can be located...and dynamically
> imported.

The SP already supports this. The IdP kind of does. That isn't precisely
what the feature is referring to. Dynamically generating metadata is
divorced from dynamically consuming it.

> In their concept, trust during that process is managed by SSL/PKI, to
> authorize such auto-import, tho, note. This may not fit well, here. Also,
> would assume the metadata signing tool is complete, and tuned up to easily
> sign a single entities metadata (vs a collection of entity metadata, per
> incommon notions)

All of which the SP already supports.

-- Scott



Archive powered by MHonArc 2.6.16.

Top of Page