SAML 1.1 with Shibboleeth 2.0

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML 1.1 with Shibboleeth 2.0

Will Hartung-3
I have an appliance that can use SAML 1.1 for an SSO session, and I was curious whether I should be using Shibboleth 2, or 1.3. It's not really clear to me.

Also, is there a reference on creating a new Service Provider for Shibboleth rather than using the provided daemon? All of the SSO references relate to the usage of the Shibboleth daemon that handles the SAML aspect and exposes them as HTTP headers. I need something more direct for this use case.

Any pointers welcome.

Thanx!

Regards,

Will Hartung

Reply | Threaded
Open this post in threaded view
|

RE: SAML 1.1 with Shibboleeth 2.0

Cantor, Scott E.
Will Hartung wrote on 2009-01-20:
> I have an appliance that can use SAML 1.1 for an SSO session, and I was
> curious whether I should be using Shibboleth 2, or 1.3. It's not really
> clear to me.

Could you please point to whatever you're reading that isn't 100% clear that
you should be using the latest version so we can improve it? But you're
following this up by indicating you can't use either one anyway, so I'm not
sure why this matters in your situation.

> Also, is there a reference on creating a new Service Provider for
Shibboleth
> rather than using the provided daemon?

Yes, the SAML standard and whatever other profiles you're attempting to
interoperate with. Shibboleth is a piece of software. You don't create a new
SP "for Shibboleth", you create a new SP "instead of" using Shibboleth.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: SAML 1.1 with Shibboleeth 2.0

Will Hartung-3
In reply to this post by Will Hartung-3


On Tue, Jan 20, 2009 at 10:29 AM, Scott Cantor <[hidden email]> wrote:
Will Hartung wrote on 2009-01-20:
> I have an appliance that can use SAML 1.1 for an SSO session, and I was
> curious whether I should be using Shibboleth 2, or 1.3. It's not really
> clear to me.

Could you please point to whatever you're reading that isn't 100% clear that
you should be using the latest version so we can improve it? But you're
following this up by indicating you can't use either one anyway, so I'm not
sure why this matters in your situation.

I wasn't sure if the latest Shibboleth supported the older standard, that's all.
 


> Also, is there a reference on creating a new Service Provider for
Shibboleth
> rather than using the provided daemon?

Yes, the SAML standard and whatever other profiles you're attempting to
interoperate with. Shibboleth is a piece of software. You don't create a new
SP "for Shibboleth", you create a new SP "instead of" using Shibboleth.

I was under the impression that Shibboleth was a generic SAML Identity Provider. For the common web SSO use case, you use the Shibboleth daemon as a bridge to your Service Provider, which I consider the web site to be, and the Shibboleth daemon is the glue to make it easier to convert a off-the-shelf web site/server in to a SAML Service Provider.

I didn't consider the Shibboleth daemon itself to be a SP, rather the combined whole.

In any case, I assume I can still use Shibboleth as a compliant SAML IdP, but I have not seen any specific writeups on how you create a Service Provider that intereacts with a Shibboleth IdP. Notably things like what URLs to use, ports, etc.


Is there anything like that available, or is there another resource you could suggest?

Thanx!

Regards,

Will Hartung


Reply | Threaded
Open this post in threaded view
|

RE: SAML 1.1 with Shibboleeth 2.0

Cantor, Scott E.
Will Hartung wrote on 2009-01-20:
> I wasn't sure if the latest Shibboleth supported the older standard,
> that's all.

That's my point...please tell me what you read that didn't clearly say so so
we can fix it. This question gets asked weekly or more.

> I was under the impression that Shibboleth was a generic SAML Identity
> Provider.

There's an IdP and an SP, but yes. That's what I was saying. You don't write
an alternative IdP or SP "for Shibboleth", but for SAML.

> For the common web SSO use case, you use the Shibboleth daemon as
> a bridge to your Service Provider, which I consider the web site to be,
and
> the Shibboleth daemon is the glue to make it easier to convert a off-the-
> shelf web site/server in to a SAML Service Provider.

Well, the "daemon" is part of the SP, it's not a bridge to anything. The
daemon isn't at all what makes it easier to do that. Arguably it's the least
relevant piece for that. The web server plugin is what makes that easier, I
would suppose.

> I didn't consider the Shibboleth daemon itself to be a SP, rather the
> combined whole.

That's definitely true. The daemon is an implementation detail, it isn't
relevant to a question like this.
 
> In any case, I assume I can still use Shibboleth as a compliant SAML IdP,
> but I have not seen any specific writeups on how you create a Service
> Provider that intereacts with a Shibboleth IdP. Notably things like what
> URLs to use, ports, etc.

That is covered by the SAML standard and/or whatever other profiles you
happen to need. The URLs and ports are not dictated by the standard, they're
(generally) in metadata.

> Is there anything like that available, or is there another resource you
> could suggest?

Yes, the SAML standard.

https://spaces.internet2.edu/display/SHIB2/TechnicalSpecs 

-- Scott