[cas-dev] SAML 2.0 experts...

Howard Gilbert Howard.Gilbert at yale.edu
Fri Sep 1 12:19:21 EDT 2006 

I am not an expert, but .

In simple terms, there are two ways that the Artifact can be resolved.

In one case, the Artifact is a "Ticket ID". The IdP has to expose an
Artifact Resolution endpoint URL to which you can send back the Artifact to
get the stuff it represents. You learn this endpoint from your configured
Metadata (an XML file of Entities and their endpoints).  In this case the
Metadata is the "SourceID to URL endpoint" mapping and doing that mapping is
what makes Shibboleth something more than just SAML.

In a second case, the URL to resolve the Artifact is embedded in the
Artifact itself. However, since in this case you have no reason to believe
that the Artifact is genuine, you can only accept the resulting assertions
if they are digitally signed and clearly addressed to you. In this case you
need to keep a configuration of Certificates mapped to source institutions
(since of course we all know that no global PKI ever happened). This is
called Trust, and it is another reason why Shibboleth is more than just
SAML.

Ultimately CAS is simple because everyone trusts CAS and CAS only "trusts"
the subset of Proxy services that it is configured to deal with. On the
other hand, Shibboleth has a plugin architecture which is very much Spring
(only without Spring) and Metadata and Trust are pluggable components. So
you should be able to reuse part of Shibboleth if you don't reuse the whole
thing.

Shib does simplify to largely trivial configuration if all the parties are
part of a single Federation, and that Federation hands out Certificates from
a central PKI, and maybe it even maintains Metadata in a central directory.
However, they don't assume such sensible administration in the code.

 

  _____  

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia
Sent: Friday, September 01, 2006 11:01 AM
To: CAS Developers Mailing List
Subject: [cas-dev] SAML 2.0 experts...

 

Is anyone out there a SAML 2.0 expert?  I'm reading the specification for
the Browser Arifact profile and it talks about using ArtifactResolve and
from what I can tell it looks like CAS would need to maintain a mapping
SourceId to URL endpoints for anyone it wants to communicate with.  Is this
true? 

-Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20060901/85e28eef/attachment.html

More information about the cas-dev mailing list