Shibboleth Developers

[Peter Williams <>]

Another motivating argument is that deployment-focussed folks simply want to 
talk to and mashup with the many oauth sites (who show little sign of 
adopting saml/shib or more formal sts architectures).

I di have an excellent and very satisfying interaction with a new saml sp 
partner last week that used the spring security framework for saml2 
interworking (both sso and slo). Im guessing they invested less that 20h 
adding saml2 to the commercial website. Quite what spring provides in terms 
of session security model (over and above serialization and signing/pki) I 
dont know (and as the peer-peer idp I don't really care).  But they are quite 
delighted with saml2. Ill try to chat to them about what opportunity oauth 
might offer them, in a combo protocol world.



-----Original Message-----
From: Scott Cantor 
<>
Sent: Thursday, February 12, 2009 8:26 AM
To: 

 
<>
Subject: RE: [Shib-Dev] Spring supports OAuth


Wu, Albert wrote on 2009-02-12:
> Not that I necessarily think this is the right thing to do, but if one
> considers "attributes" in Shib terms as "protected resource" in OAuth
terms, and
> Shib IDP as OAuth "Service Providers", the 2 spaces begin to overlap.
> Would it be conceivable that there eventually be a use case for
interoperability?

OAuth as a security mechanism to authenticate to the IdP for queries? I
can't see that being of much use with any current use cases, but if you were
using the IdP as something like a "personal profile service" in the Liberty
sense, I suppose it might be plausible.

I think in general that the user consent model during SSO to approve release
is simpler than something with OAuth that bounces you back to the IdP would
be. But if you start looking at aggregation use cases, then it might come
up.

-- Scott