Shibboleth Developers

[Jeffrey T Eaton <>]

Hi,

We're looking into extending Shibboleth to provide the ability to pass  
delegated credentials from the IdP to an SP.

Specifically, we would like to be able to pass WS-Security assertions  
or Kerberos 5 tickets, so that the SP can then use those credentials  
to authenticte to another service.  For example, if we use Shib to  
authenticate users to our web portal, the portal would be able to  
extract the credentials from the Shib SAML assertion, then use those  
credentials to authenticate to our mail server on behalf of the  
user.   (Our portal currently gets an IMAP K5 service ticket in this  
way via Pubcookie, and then authenticates to Cyrus using the user's  
IMAP service ticket.  This way, the portal does not have to have  
"superuser" credentials to the IMAP server.)

So, that said, we are looking at either passing multiple SAML  
assertions between the IdP and SP, or embedding the credentials into  
the existing SAML assertion (perhaps as a Base-64 encoded blob).

Does anyone have any thoughts on the best way to pass these credentials?

Is it possible to pass multiple SAML assertions at once to an SP?  The  
SP code seems to indicate that multiple Shib assertions can be passed  
(grep for "Shib-Assertion-Count"), but I don't see any way to actually  
do this.

Thanks,

-jeaton