Shibboleth Developers

["Dharam Veer" <>]

The world of extensions is on rise (Google gears, firefox addons :) ) so poor user installs one more. Jokes aside Scott, I do see your concern but for whatever reason world is fascinated by keeping some profile data with them on local machine or device [e.g. being cardspace, and I think Advance client from Liberty (I do not have much knowledge about Advance client so pardon me if misused it here)] and may be get a false sense of security that it is not on some database.

For me one of the scenario is this:
- SP asks user to authenticate and specifies the attributes that are needed for providing the service
- user goes to IDP, authenticate, enter (or read from machine or select one stored with IDP) his attributes

- response from IDP contains authentication assertion and attribute statements corresponding to the one requested by service provider in the AuthnRequest

That being said:
- OpenID with its simple registration protocol seems to answer it but it does not provide me the excellent work done in SAML regarding metadata, establishment of trust, strength of xml sig/enc and many other extensions.
- CardSpace looks bit heavy ( on client install) and again with its selector I am not felxible enough for retrival of attributes.

and thus I am trying to see if I could achieve my scenario from with in SAML 2.0 and on top of excellent Shibboleth API/implementation of SAML specifications.

Till now I have learned that in SAML for my scenario 
1/ As part of AuthnRequest you can't specify the attributes required. Attribute Query/Response is the thing to use for this. [Please correct me if I misunderstood the spec]
2/ In order to transmit attributes in Response (to authnrequest) you could put them in attribute-resolver of Shibboleth but in that case they have to be transmitted every time user authenticates (Not good definitely).

You can see I am really in fix here with my custom weird scenario :)

Tom suggested to look at OAuth. Going to look at it but again that would mean drifiting from SAML.

Again, many thanks for your guidance. I truly appreciate your comments.

Regards

On Mon, Oct 27, 2008 at 10:40 AM, Scott Cantor <> wrote:

> I completely agree that entering it again and again is not acceptable.
This
> data (sort of profile cards) is stored on user's computer (or on a device)
> and is retrieved using a browser extension.

Interesting. How do you manage to require an extension like that? What's
your user population?

-- Scott