Shibboleth Developers

["Scott Cantor" <>]

> Interesting. I'm ever more convinced that the Shib SP is persistently
> undersold in terms of its capabilities.

That assumes one thinks the feature is useful. Since I don't particularly,
it isn't on my short stack, but all of the configuration options are already
documented.

> Did anyone do an interworking  trial already with PingFederate as the IDP?

I can't touch products because of tampering. Since I have no idea how
serious they are about supporting dynamic federation, I don't know what
they've done yet. What I do know from others is that their metadata support
is still not up to snuff, so I don't see how that jibes with claiming to
support this kind of thing.

> I believe PingFederate does dynamic generation of the metadata from the
> endpoint, in the limited sense that the signature is generated and
attached
> on the fly - so the latest certs always percolate neighbor to
> neighbor...lampson style.

That's a DOS attack waiting to happen, but yes, the SP can do it. It just
isn't necessary to dynamically consume it. You can post a metadata document
ahead of time at the entityID for somebody else to consume.

> if noone other that developers have done this, if anyone can stand it,
i'll
> offer to go get my Shib2 SP out of the VM, and try a trial or two. But
I'll
> need support with the SP config on this particular topic, assuredly. Is
> Shib2.0 the right platform, or do I need to rebuild Shib SP 2.1?

Consuming the metadata dynamically works in 2.0, but only with signature
trust models. 2.1 is significantly enhanced.

https://spaces.internet2.edu/display/SHIB2/NativeSPMetadataProvider

Scroll for type="Dynamic".

-- Scott