Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] how good is the Shib SP ws-fedp support?

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] how good is the Shib SP ws-fedp support?


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: Re: [Shib-Dev] how good is the Shib SP ws-fedp support?
  • Date: Fri, 24 Jun 2011 19:20:38 +0000
  • Accept-language: en-US
On 6/24/11 3:10 PM, "Peter Williams"
<>
wrote:

>Is there anything wrong with minting an SAML token with no
>AuthenticationStatement?

If you're attempting to claim conformance to a profile that requires one,
yes. If you're not claiming that, then no.

>No there is not. Obviously, it doesn't have the token doesn't have the
>semantics of the AuthnRequest protocol (in SAML2 spec).

It doesn't meet the requirements of the SSO *profile*. We implement
profiles. If you need a new profile, that's usually going to be new code.
It may well be very little new code.

>Now, when interworking using SAML2 protocol , the thinking is probably
>different. Now, enforce the semantics of authnReq protocol. A different
>level of rigour.

That's all I'm saying.

>I suspect they are trying to DISTINGUISH the saml2 flows from ws-fedp
>flows, each having different security models - where the SAML2 flow come
>with a certain relationship model between agents. And, knowing MSFT,
>there are different generations of ws-fedp (since its already a decade
>old).

Your attempt to paint this as anything but arbitrary laziness on the part
of whoever wrote the code is not persuasive to me. You ascribe design
where I think there is simply domain ignorance and lack of attention to
detail.

>Anyways, getting way off topic. Shib obviously ain't going here. I think
>my final conclusion is: use Shib2 for SAML2, and that's it.

If you don't want to write code to implement the custom thing you want to
do, that's correct. What is, I think, a mistake, is believing that
anything else will be much better. You can't interoperate without a
profile.

Our position on shipping new profiles is simply that they should be
formalized and be something that materially helps deployers. Your case may
be the latter, but that's not the only consideration.

Would it be cool to have a scriptable profile that lets somebody customize
it easily from outside? Sure. I don't have that.

And I f what you want is something that can be tweaked using PHP code, it
stands to reason that a PHP implementation would be more amenable to that.

-- Scott


Archive powered by MHonArc 2.6.16.

Top of Page