shibboleth-dev - RE: [Shib-Dev] how good is the Shib SP ws-fedp support?
Subject: Shibboleth Developers
List archive
- From: Peter Williams <>
- To: "" <>
- Subject: RE: [Shib-Dev] how good is the Shib SP ws-fedp support?
- Date: Fri, 24 Jun 2011 08:42:58 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
I don't see anyone using Internet2 IP - the Shibboleth brand, for example.
But, its clear that folks are playing off the reputation of the software,
since its embedded.
And this speaks to the heart of shib dev, as folks things about version .
next.
One of my friendly competitors (paul) is using Shib to deliver his various
services. Thus, I have to understand the Shib project, at least - so as to
maximize interworking.
Three things have come up in the last year on the Shib front:
We have long imposed on Paul's several Shib IDPs a bridge model - that
insulates our SP from Shib thinking _while facilitating what users care
about: SSO experience. I note that bridging is now mainstream, with such as
Azure ACS formalizing the notion of FP entity (federation party, in
Microsoft-speak) and distinguishing at least 2 classes of such entity type:
the Azure ACS that augments IDPs (and maps name and attribute claims from one
dialect to another), and the RP-centric claims transformation agent (that is
responsible for mapping and soliciting additional authz entitlements).
Now considering our own small RP experiment using Joomla, and the potential
to use embedded-Shib (from a vendor) to add SAML2/ws-fedp protocol engines, I
ask; so HOW WELL is Shib architected to support multi-tenant SPs, like a
multi-site installation of joomla. This is looking at Shib's last-mile cookie
- and considering how well it may have been integrated with joomla token
handling. Obviously, Im looking as much at the design of the joomla
integration package as much as Shih protocol engine and Shib-cookie, to
understand this use case.
And finally, since ACS is a ws-fedp asserting entity, Ive been noting how
some the nameids and attributes from some of the IDPs that it projects into
SP domains bind to 1 of at least 2 different formats of SAML(1) tokens. ACS
takes fields from some IDP tokens and itself (re)issues
AuthenticationStatements + AttributeStatements (with largely the same info in
each). For other IDPs, the AuthenticationStatement is missing. I thus ask,
assuming Shib SP would be the recipient of such tokens, intending to manage
the shib/joomla session, how well would Shib do on being presented with a
token (in SAML2 format say) that omits the AuthenticationStatement. I ask
this, as when I use PingFederate in its place, PingFederate objefts mightly -
since essentially it expects an authenticationStatement. I note that when I
build my own SP out of the MSFT WIF tookit, there are no problems (presumably
as the library is well-aligned to the profiles used by ACS).
I don't have an answer, and don't really have any recommendations to dev
folk. But, I hope its useful to see how we were thinking, as folks perform
design work on the next version. The issues mentioned above are very
important to us, and are not going away. The ideas of directly engaged IDPs
and SP, with IDP governing multiple-tenant SP sites is just a non-starter,
perhaps undermining some of the design thinking many of use entertained just
a few years ago.
-----Original Message-----
From:
[mailto:]
On Behalf Of Cantor, Scott E.
Sent: Wednesday, June 22, 2011 5:21 PM
To:
Subject: Re: [Shib-Dev] how good is the Shib SP ws-fedp support?
On 6/22/11 8:11 PM, "Peter Williams"
<>
wrote:
>Well, I at 22 worked for a university college's commercialization arm
>(me and 2 others).
That's fine, but we don't have one, this is a purely open source project with
a trademark owned by Internet2.
>Someone offered me a "license" to get a joomla-plugin for some version
>of Shib, for $1500 - per server. Guessing it's a jip, from the comments.
Well, the *plugin* probably isn't saying it's Shibboleth, it's some
integration code that works along with the SP to make whatever joomla is
work. Is that a bad deal? Probably, but I suppose code in hand is worth
something. I don't know what the plugin has to do.
The confluence plugin is probably the most ambitious one around. Is it worth
$1500? Seems a bit much to me.
If they are saying they're selling you "Shibboleth", please forward any info
on that directly to any of us, since that's a trademark violation.
>Im perfectly well aware that how well shib (commercial version or
>otherwise) works with ws-fedp is a function of the knowhow of the
>folks, working here. How well DOES IT? Is the real question.
Minimally I would say. Very little use that I know about.
>For example, a very obvious simpleSAML token decoder in joomla did NOT
>assume that multiple tokens MIGHT be a response - and thus cannot work
>with the MSFT "best practices" FP agent, which re-casts a upstream
>token for the SP, having done (yet) some (more) claims transformation.
>The typical WIF-build FP agent happens to construct token encodings
>that the obvious script-based decoders FAIL to parse (and handle).
Well, here's the point: that is NOT compliant with the profile that was used
for interop testing of ADFS back in the day. Microsoft can play games all
they want, but it won't interoperate.
>As a commercial user, Id be QUITE happy to pay $1500 for a "problem
>solver", having built in extensive interoperability testing.
>Obviously, I don't want to pay $1500 for what is publicly available,
>dressed up for sale.
It seems unlikely to me that they're offering you a better plugin for WS-Fed
in the SP.
-- Scott
- [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/22/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Schober, 06/22/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Chad La Joie, 06/22/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/22/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/22/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/24/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/24/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Schober, 06/24/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/24/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/24/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/24/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/24/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/24/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/24/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/26/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/26/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/24/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/24/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Cantor, Scott E., 06/22/2011
- RE: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Williams, 06/22/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Chad La Joie, 06/22/2011
- Re: [Shib-Dev] how good is the Shib SP ws-fedp support?, Peter Schober, 06/22/2011
Archive powered by MHonArc 2.6.16.