Shibboleth Developers

["Scott Cantor" <>]

> Perhaps, since its all public information, we can simply arrange another
> Liberty-sponsored demo before some conference or other. I swear I've seen
> Shib folk do that before, in public, with multiple vendors systems. The
only
> "touching" requires shib configuration and interaction with a non-Shib
> system (using SAMLstandards, only)

Well, yes, but I'm not all that interested in traveling to demo this
particular feature. If somebody else wants to, they're welcome to.

I'm happy to provide a test SP that can do various things like this if
somebody wants to test against it. Online testing is not that hard.

> That is essentially claiming that their "Liberty Interoperable"
> certification is commercially meaningless (since metadata is so critical
> SAML2) - and doesnt jive with what you'd expect from a "respectable"
product
> compliance test.

Metadata is not viewed as a critical piece historically, and I know that
many "compliant" products don't support even *unworkable* models for using
metadata, let alone approaches that I know do work and scale.

But if you're waiting for me to defend commercial certifications, not going
to happen.

> Ill assume this means that Liberty is falling down, and not
> producing interworking tests of sufficient veracity. A compliance suite
that
> produces this kind of comment about fundamental interoperability is not
> worth acknowledging (speaking as a customer).Shame on Liberty, if is true.

I imagine that Liberty tests what people ask them to test. Conformance
testing is very difficult to prove real world usability with. That doesn't
mean they couldn't do a better job, but without firm rules for what people
have to make their products do based on a given set of metadata, they don't
have a firm set of tests to use.

Clearly my opinions about what the metadata spec imply go beyond what a lot
of other implementers felt, so there's work to be done.

But what they test is SAML interop, not metadata intertop. Manually
configuring partners is considered acceptable, and that's how the products
work. Since I don't use the products, I can only say "that's stupid" so many
times before I just go on about my business.
 
> Is Shib2 "Liberty Interoperable"?

We haven't tried to go through the process, and I know that some of the
requirements aren't supported at the moment (e.g. SLO) anyway.

Personally, I can think of a few dental procedures I'd rather submit to, so
unless the community demands and funds it, I'd say it's unlikely.

> Id expect that the cache timeout is NOT allowed to exceed the
> expiry date/time of either the SSLcontrol cert or the SSO certs used for
> metadata-signing and SAML Response/assertion signing.

That's their mistake, then, since there is no reason to care about the
certificates in the metadata at all. It adds nothing.

> Interesting to see SSL's PKI become a control authority for this "dynamic"
> SAML. The nice thing is... the maagement framework is as open and flexible
> as SSL itself is.

That's why the model is ultimately not viable IMHO.
 
-- Scott