Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] how good is the Shib SP ws-fedp support?

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] how good is the Shib SP ws-fedp support?


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: Re: [Shib-Dev] how good is the Shib SP ws-fedp support?
  • Date: Fri, 24 Jun 2011 22:21:13 +0000
  • Accept-language: en-US

On 6/24/11 6:07 PM, "Peter Williams"
<>
wrote:

>Ok. We can say things academically now: Shib has not implemented the ACS
>profile, which is a variant of the ADFSv2 profile, all of which are
>variants of (profile of) ws-fedp specification's standard types.

There is no ADFSv2 profile, AFAIK. If I'm mistaken, please provide a
reference to it. I actually assumed they would have a SAML 2.0 variant of
WS-Fed Passive IP, but I never saw one done.

>Oh, and neither has PingFederate.latest. And that's annoying, since it
>claimed to have become "compatible" with WIF (the library that implies
>the various ACS and other profiles, not that anyone outside Microsoft
>apparently knows what they are).

Which is the point. Profiles that aren't public are not of any relevance
to other implementers. Profiles are something you can implement to.

If your goal is to be samba, obviously you can take the onus and reverse
engineer things. We're not doing that. And honestly, I wouldn't start with
Microsoft's WS-Federation stuff if we did, since they seem to be dumping
that for OAuth.

>So the right question for the "shoomla" (shib+joomla) product vendor is:
>did you augment open source Shib with an ACS-specific profile that tunes
>the SP for the way in which ACS v2 uses OASIS saml standard types.

That would be a fair question, yes. The answer is almost certainly no of
course.

>If the answer is yes, its worth $1500 as its cost me way more than that
>to merely understand the issue. $1500 is basically 10 hours of
>programming (or 6 hours at US defense contract rates). I doubt I could
>produce an ACS profile in Shib in 10 hours, and at reasonable QA. After
>2h on Microsoft forums, I cannot even figure how to make an
>AuthenticationStatement.

I'm sure that's true, that's why I said code in hand is worth something.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page