[wsf-dev] ECP plugin build/execute feedback

Peter Williams pwilliams at rapattoni.com
Mon Apr 28 12:31:59 PDT 2008 

Wonderful that there is an easy way! I just read the code, fiddled step by step till it did something sensible. At least I now understand handler mode much better, so SAML/ShibSP itself becomes service operating on its own host supporting a cluster of webapps.

Q: is there any way via query-string to populate the IDPList with >1 entry?



In terms of my own ECP client (for post WAP1 era usages) there is only 1 agenda with 3 components, which I trust can merge with other folks efforts:-

1. Nominally, the proxy will be the generator of the AuthnResponse. How it generates/signs this blob is a blackbox issue for the SP.

2. In fact, my own proxy will leverage a data server (from a realty open standard peculiar to US Realty) that looks and functions a bit like a SemWeb SPARQL server, listening for data queries on some or other URI binding.

3. The data servers already operate their own secure chaining model. Thus, the ECP proxy can be seen as an aggregator of SAML assertions that said chaining parties provide, and will act as the ultimate signer of the AuthnResponse.

>From the std, the ECP proxy is obligated to restrict which SAML assertions it puts into a Response, and from which (single) source.

In a second phase, I will then play with ECP/SAML2 proxying in its own right, trying to take from the WAP1 roaming world whats useful to carry forward to today.



_________________________
Peter Williams
Chief Information Security Officer
Mobile (805) 416-6305



From: Scott Cantor
Sent: Mon 4/28/2008 12:10 PM
To: 'Peter Williams'; wsf-dev at lists.openliberty.org
Subject: RE: [wsf-dev] ECP plugin build/execute feedback


> To allow IIS7 (via the shib_isapi handler) to invoke the NativeSP in
> "handler" mode (so Shib2 act as a layer 5 protocol engine, rather than
web-
> session middleware) and then support a trial generting a SAMLRequest using
> ECP and PAOS, I did the following

None of that is necessary, Shibboleth is easily able to issue requests with
a simple get to /Shibboleth.sso/Login.

> 4. Invoke trial usin tool like curl(1) ...using GET to induce protocol
run,
> where providerId parameter is demonstrably set to "none" to showcase the
ECP
> scenario.

That means you want to use the IdP named "none". You want to omit it
altogether.

(The I2 lists are down, that's why your message hasn't made it yet. If
you're having problems with the SP that required you to change the code,
just ask directly until the list is up.)

-- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080428/070700c4/attachment.html

More information about the Wsf-dev mailing list