Shibboleth Developers

[Peter Williams <>]

Interesting. I'm ever more convinced that the Shib SP is persistently 
undersold in terms of its capabilities.

Did anyone do an interworking  trial already with PingFederate as the IDP?

I believe PingFederate does dynamic generation of the metadata from the 
endpoint, in the limited sense that the signature is generated and attached 
on the fly - so the latest certs always percolate neighbor to 
neighbor...lampson style. (Imagine an EIGRP update across 300 routers, and 
its ultra fast failover/convergence model being applied to cert chains and 
revocation! (hint to UK JaNET, if anyone is listening)

if noone other that developers have done this, if anyone can stand it, i'll 
offer to go get my Shib2 SP out of the VM, and try a trial or two. But I'll 
need support with the SP config on this particular topic, assuredly. Is 
Shib2.0 the right platform, or do I need to rebuild Shib SP 2.1?

________________________________________
From: Scott Cantor 
[]
Sent: Wednesday, September 24, 2008 12:43 PM
To: 

Subject: RE: [Shib-Dev] seeking feedback on Shibboleth 2.2 Roadmap

> any chance this could align with the dynamic metadata notions that Ping
> Federate SAML2 server actually supports? ...from an user's email id
entered
> at an RP site, the RP can resolve (openid-style) to a URL at which
endpoint
> the entity's (institutional) metadata can be located...and dynamically
> imported.

The SP already supports this. The IdP kind of does. That isn't precisely
what the feature is referring to. Dynamically generating metadata is
divorced from dynamically consuming it.

> In their concept, trust during that process is managed by SSL/PKI, to
> authorize such auto-import, tho, note. This may not fit well, here. Also,
> would assume the metadata signing tool is complete, and tuned up to easily
> sign a single entities metadata (vs a collection of entity metadata, per
> incommon notions)

All of which the SP already supports.

-- Scott