Shibboleth Developers

["Scott Cantor" <>]

Peter Williams wrote on 2009-04-15:
> Is it reasonable for an SP to give the (now IDP-side) STS a Shib2 websso
> assertion for "token" translation - and then attach the resulting token to
a
> web service call?

In their current "undecorated" form, no, that's not reasonable. The STS,
IdP, or whatever you want to call it is a relying party in that exchange. If
you hand it an assertion, it is required by any reasonable reading of the
standard to evaluate the assertion in that light, and there are at least a
couple of criteria by which it should rule the token invalid:

- the AudienceRestriction won't be valid
- the Bearer confirmation can't be satisfied because it will have a
Recipient value pointing to the SP
- the Bearer confirmation may also be expired in some cases

If you want to do delegation, you do something like we have proposed in the
uPortal integration project. It doesn't have to result in Liberty-defined
interactions, but the up front decoration required is essentially the same.

There's probably little reason not to require Holder of Key, since if it's
an SP performing the request, you can determine the key from its metadata.

-- Scott