Shibboleth Developers

["Scott Cantor" <>]

> 1) Is there anything blatantly flawed with this approach?

In the SAML sense, all you're doing is using PKI for authentication, and
it's never strictly in scope for SAML where you get the attributes you
assert. The details are all in what you're telling people, right? Where do
they think the data's coming from, that sort of thing.

> 2) Any idea how hard it would be to create that data connector?  Or does
> anything like this exist already?

On one level, it's the proverbial web services connector. It really depends
what you mean by SAML queries. You can do queries with any security model
you want. If you mean the kind of thing we do, that's a much richer security
model based on trust engines, client TLS and/or signing, etc. I don't think
we have a client stack for that in Java quite yet, just the work Unicon did
in the delegation library and maybe a proto SOAP client somewhere, I think.
Not quite what the SP can do yet. But you may well not need that if the
trust model behind all that is just static PKI.

-- Scott