Shibboleth Developers

[Christopher Bongaarts <>]

Steven Carmody wrote:
> On 1/3/11 4:10 PM, Cantor, Scott E. wrote:
> > > This is the second major vendor we've encountered that saw that text,
> > > and for their own reasons decided to go ahead and implement that 
> > > profile.
> >
> > "For their own reasons" == to ignore discovery.
>
> some commercial providers seem to consider it unacceptable to provide 
> what we call "Discovery" (ie a page that might be interpreted as a list 
> of customers...). The Info Providers (eg ebsco, Elsevier, etc) have 
> never been bothered by this; however, companies in other spaces seem 
> very uncomfortable doing this.

The ones we've dealt with have usually been on the business side (HR, 
travel, W2 forms, etc.) and seem to reflect an assumption on the SP side 
 that everyone has a Corporate Intranet that all users log into first 
before accessing any external services.  Thus the tendency to support 
IdP-first as the "standard" flow.  This may well be correct for most 
businesses, but in a university setting it falls apart.

Come to think of it, most of our users probably don't go to any of our 
external SPs directly; they usually follow links from our pages, either 
our HR self-service page, our library's list of databases, our career 
services site, or our local landing pages for Google Apps.  In all those 
cases, why add an extra request/redirect to the loop, if you know what 
the IdP is going to be from the get-go?  Until you add either multiple 
IdPs or custom authentication requirements, this seems like the simplest 
path.

We've been lucky so far in that all the IdP-first-only SPs have been 
able to speak SAML 1, and the legacy Shib protocol has worked for us to 
talk to these sites.
--
%%  Christopher A. Bongaarts   %%  

          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%