Shibboleth Developers

[Steven Carmody <>]

This one is based on OpenSAML.....  so yes, this is Scott's nightmare 
scenario, yet again.....

The work was done by a company providing a cloud-based HR system. Brown 
is currently evaluating the feasibility of adopting this solution; a 
core team member is at a school headed to production with this vendor on 
July 1.

When discussing Federated Access, they said that their current SP 
implementation implements these checks:

> 1) Issuer - this must match the value configured in the Workday SSO
> setup page
> 2) Signature - this must apply to the entire SAML message, some IdP's
> allow for signing only the Assertion subelement instead of the entire
> response
> 3) Subject - this must match an existing Workday Account userID
> 4) Conditions/AudienceRestriction - Workday requires a value of
> 'http://www.workday.com'
> 5) Conditions/NotBefore & NotOnOrAfter attributes - Workday enforces a
> max skew of ± 3 minutes

Some questions:

1) Would a Shibboleth IDP be able to generate a SAML msg containing a 
SAML AuthN Assertion that meets those requirements?

2) Are there additional checks that the project would recommend that 
they implement ?

3) They currently only implement an IDP-first web browser profile. I 
expect this will mean that a "typically configured" SHib IDP would not 
be able to generate a msg meeting the above requirements ?

thanks!