Shibboleth Developers

[Steven Carmody <>]

On 1/3/11 4:10 PM, Cantor, Scott E. wrote:
> > This is the second major vendor we've encountered that saw that text,
> > and for their own reasons decided to go ahead and implement that profile.
>
> "For their own reasons" == to ignore discovery.

some commercial providers seem to consider it unacceptable to provide 
what we call "Discovery" (ie a page that might be interpreted as a list 
of customers...). The Info Providers (eg ebsco, Elsevier, etc) have 
never been bothered by this; however, companies in other spaces seem 
very uncomfortable doing this.

The other big company we dealt with was in the financial space; we 
talked them into implementing an endpoint equivalent to Shib's /Login 
sessionInitiator. After they deployed this with a couple of other 
customers, they came back to us and said "gee, this is easy, and makes 
sense...".

> Since SAML conformance effectively requires IdP-initiated SSO, that isn't 
> really a stretch.
>
> > Is there any sort of warning that could be associated with the undefined
> > step 1, alerting implementers that this may not be supported in some
> > deploys?
>
> Warning where?

A follow on note from you says that the text is found in the original 
SSO profile.... I guess I'm suggesting a footnote along the lines of 
"Step 1 is undefined because it is a matter for the IdP deployer; SP 
implementers should discuss this with their IDP deployer partners before 
making assumptions."