Shibboleth Developers

[Chad La Joie <>]

On 1/3/11 11:47 AM, Steven Carmody wrote:
> > 1) Issuer - this must match the value configured in the Workday SSO
> > setup page
> > 2) Signature - this must apply to the entire SAML message, some IdP's
> > allow for signing only the Assertion subelement instead of the entire
> > response
> > 3) Subject - this must match an existing Workday Account userID
> > 4) Conditions/AudienceRestriction - Workday requires a value of
> > 'http://www.workday.com'
> > 5) Conditions/NotBefore & NotOnOrAfter attributes - Workday enforces a
> > max skew of ± 3 minutes
>
> Some questions:
>
> 1) Would a Shibboleth IDP be able to generate a SAML msg containing a
> SAML AuthN Assertion that meets those requirements?

Yes.

> 2) Are there additional checks that the project would recommend that
> they implement ?

All the checks the Shibboleth SP does.

> 3) They currently only implement an IDP-first web browser profile. I
> expect this will mean that a "typically configured" SHib IDP would not
> be able to generate a msg meeting the above requirements ?

There is no such thing as a IdP-first web browser profile so no the IdP 
doesn't support it.  You'll have create a mock authn request and send it 
to the IdP.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered