Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] how good is the Shib SP ws-fedp support?

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] how good is the Shib SP ws-fedp support?


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: Re: [Shib-Dev] how good is the Shib SP ws-fedp support?
  • Date: Thu, 23 Jun 2011 00:14:35 +0000
  • Accept-language: en-US

On 6/22/11 7:44 PM, "Peter Williams"
<>
wrote:

>
>The decision is coming down to (i) how well does Shib SP cooperate with
>ALL the modes of ws-fedp from either an ADFS or ACS asserting party, and
>(ii) how well does it drive joomla¹s sessions and account provisioning
>flows.

I know nothing about joomla. The WS-Federation support is minimal and
hasn't been used much that I'm aware of.

>
>
>For example, a WIF-library build federation party ( a ws-fedp bridge, in
>normal speak) that sprach upstream to Azure¹s ACS bridge (front a
>variety of IDPs) does not issue tokens exactly as does the classical
>ws-fedp asserting party.

Then chances are it won't work. The support is for the profile cooked up
and never standardized by MS and IBM. That's all it was meant to handle.

> First, the wraps the response in a multipletoken XML element, and
>second, some of the namespace handling causes slightly different
>serialization of the embedded XML element to that which ADFS/ACS produce
>natively.

The serialization doesn't matter, either it's valid or it's not. But if
the outer element isn't RequestSecurityTokenResponse, it won't decode.

>
>How far have folks gone with Ws-fedp use analysis and interoperability
>testing?

Not very far.

>
>Much of ws-fed and ws-fedp is about ³more advanced² use case involving
>proof tokens, and non-trivial confirmation methods.

I think that's a more accurate claim of WS-Trust, but it's irrelevant.

> If I choose (as is my intuition) Shib to front Joomla vs a very
>simplistic simpleSAML-based joomla plugin, am I really getting what I
>expect ­ a ³REALLY excellent² interaction with ws-fedp IDP?

I'm willing to fix bugs in the interoperation with ADFS using the profile
that we intended to support, but we don't have any plans to extend that
support unless somebody comes up with a compelling reason.

The ADFS support is also entirely a plugin. Any competent programmer could
copy the existing plugin and patch it to do at least some additional
things without a great deal of effort.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page