Shibboleth Developers

[Peter Williams <>]

I don't see anyone using Internet2 IP  - the Shibboleth brand, for example. 
But, its clear that folks are playing off the reputation of the software, 
since its embedded.

And this speaks to the heart of shib dev, as folks things about version . 
next.

One of my friendly competitors (paul) is using Shib to deliver his various 
services. Thus, I have to understand the Shib project, at least - so as to 
maximize interworking.

Three things have come up in the last year on the Shib front:

We have long imposed on Paul's several Shib IDPs a bridge model - that 
insulates our SP from Shib thinking _while facilitating what users care 
about: SSO experience. I note that bridging is now mainstream, with such as 
Azure ACS formalizing the notion of  FP entity (federation party, in 
Microsoft-speak) and distinguishing at least 2 classes of such entity type: 
the Azure ACS that augments IDPs (and maps name and attribute claims from one 
dialect to another), and the RP-centric claims transformation agent (that is 
responsible for mapping and soliciting additional authz entitlements).

Now considering our own small RP experiment using Joomla, and the potential 
to use embedded-Shib (from a vendor) to add SAML2/ws-fedp protocol engines, I 
ask; so HOW WELL is Shib architected to support multi-tenant SPs, like a 
multi-site installation of joomla. This is looking at Shib's last-mile cookie 
- and considering how well it may have been integrated with joomla token 
handling. Obviously, Im looking as much at the design of the joomla 
integration package as much as Shih protocol engine and Shib-cookie, to 
understand this use case.

And finally, since ACS is a ws-fedp asserting entity, Ive been noting how 
some the nameids and attributes from some of the IDPs that it projects into 
SP domains bind to 1 of at least 2 different formats of SAML(1) tokens. ACS 
takes fields from some IDP tokens and itself (re)issues 
AuthenticationStatements + AttributeStatements (with largely the same info in 
each). For other IDPs, the AuthenticationStatement is missing. I thus ask, 
assuming Shib SP would be the recipient of such tokens, intending to manage 
the shib/joomla session, how well would Shib do on being presented with a 
token (in SAML2 format say) that omits the AuthenticationStatement. I ask 
this, as when I use PingFederate in its place, PingFederate objefts mightly - 
since essentially it expects an authenticationStatement. I note that when I 
build my own SP out of the MSFT WIF tookit, there are no problems (presumably 
as the library is well-aligned to the profiles used by ACS).

I don't have an answer, and don't really have any recommendations to dev 
folk. But, I hope its useful to see how we were thinking, as folks perform 
design work on the next version. The issues mentioned above are very 
important to us, and are not going away. The ideas of directly engaged IDPs 
and SP, with IDP governing multiple-tenant SP sites is just a non-starter, 
perhaps undermining some of the design thinking many of use entertained just 
a few years ago.










-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott E.
Sent: Wednesday, June 22, 2011 5:21 PM
To: 

Subject: Re: [Shib-Dev] how good is the Shib SP ws-fedp support?

On 6/22/11 8:11 PM, "Peter Williams" 
<>
 wrote:

>Well, I at 22 worked for a university college's commercialization arm 
>(me and 2 others).

That's fine, but we don't have one, this is a purely open source project with 
a trademark owned by Internet2.

>Someone offered me a "license" to get a joomla-plugin for some version 
>of Shib, for $1500 - per server. Guessing it's a jip, from the comments.

Well, the *plugin* probably isn't saying it's Shibboleth, it's some 
integration code that works along with the SP to make whatever joomla is 
work. Is that a bad deal? Probably, but I suppose code in hand is worth 
something. I don't know what the plugin has to do.

The confluence plugin is probably the most ambitious one around. Is it worth 
$1500? Seems a bit much to me.

If they are saying they're selling you "Shibboleth", please forward any info 
on that directly to any of us, since that's a trademark violation.

>Im perfectly well aware that how well shib (commercial version or
>otherwise) works with ws-fedp is a function of the knowhow of the 
>folks, working here. How well DOES IT? Is the real question.

Minimally I would say. Very little use that I know about.

>For example, a very obvious simpleSAML token decoder in joomla did NOT 
>assume that multiple tokens MIGHT be a response - and thus cannot work 
>with the MSFT "best practices" FP agent, which re-casts a upstream 
>token for the SP, having done (yet) some (more) claims transformation. 
>The typical WIF-build FP agent happens to construct token encodings 
>that the obvious script-based decoders FAIL to parse (and handle).

Well, here's the point: that is NOT compliant with the profile that was used 
for interop testing of ADFS back in the day. Microsoft can play games all 
they want, but it won't interoperate.

>As a commercial user, Id be QUITE happy to pay $1500 for a "problem 
>solver", having built in extensive interoperability testing.  
>Obviously, I don't want to pay $1500 for what is publicly available, 
>dressed up for sale.

It seems unlikely to me that they're offering you a better plugin for WS-Fed 
in the SP.

-- Scott