OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: How does Shib WAYF work? (was: Re: [security-services] IdP Discovery)

Ok, so I went and looked at ..

https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/WAYFDev

..and at various other stuff lying about wrt WAYF, and I have some questions 
about how a WAYF actually works -- the description ptd to above and other stuff 
I found just skim the surface...

0. A WAYF is a distinct service and implementation thereof that is run on some 
network node. (yes?)

1. So each SP that is Shib-enabled is configured with one or more WAYFs to use?

2. The only info the WAYF gets from an SP, at time of redirecting a UA to the 
WAYF, is the SP's entityID, yes? Is the Shib notion of an entityID congruent 
with SAMLv2's ProviderID? If not what are salient differences?

3. My understanding of Shib's conventions are that individual users are not 
supposed to have to manually type in anything wrt identifying their IDP. So, a 
given WAYF either has to be config'd with lists of IDPs it knows about, or it 
gets info dynamically from the UA (via e.g. _saml_idp CDC), or a combination, yes?

    What happens if the WAYF can't determine an IDP for a given UA/user to use 
with a given SP?

4. The Shib WAYF isn't necessarily wedded to SAML profiles as the subsequent 
SSO protocol vehicle, yes?


It's interesting to compare the Shib WAYF to Yadis -- both do IDP 
discovery/introduction, and both supply IDP metadata to the SP.

Without yet answers to the above questions, it seems that the salient 
differences between YADIS (as far as I presently understand it) and Shib WAYF are..

D1. Yadis isn't a distinct service (WAYF is), rather it's a methodology for an 
SP to dereference a user-supplied identifier and obtain a pointer to an IDP and 
metadata thereof.

D2. In Yadis the user (or his browser ;) is responsible for supplying the 
user's (IDP) ID that is subject to the dereferencing, and SPs are responsible 
for prompting for this, and performing subsequent dereferncing.

Any other salient differences?

thanks,

=JeffH

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]