[cas-dev] SAML 2.0 experts...

Scott Battaglia scott.battaglia at gmail.com
Fri Sep 1 14:09:43 EDT 2006 

So it looks like in either case there needs to be some
knowledge/configuration on the CAS side?  Its not as simple as there being
given a TARGET url like the SAML 1.1 Browser Artifact profile?

On 9/1/06, Howard Gilbert <Howard.Gilbert at yale.edu> wrote:
>
>  I am not an expert, but …
>
> In simple terms, there are two ways that the Artifact can be resolved.
>
> In one case, the Artifact is a "Ticket ID". The IdP has to expose an
> Artifact Resolution endpoint URL to which you can send back the Artifact to
> get the stuff it represents. You learn this endpoint from your configured
> Metadata (an XML file of Entities and their endpoints).  In this case the
> Metadata is the "SourceID to URL endpoint" mapping and doing that mapping is
> what makes Shibboleth something more than just SAML.
>
> In a second case, the URL to resolve the Artifact is embedded in the
> Artifact itself. However, since in this case you have no reason to believe
> that the Artifact is genuine, you can only accept the resulting assertions
> if they are digitally signed and clearly addressed to you. In this case you
> need to keep a configuration of Certificates mapped to source institutions
> (since of course we all know that no global PKI ever happened). This is
> called Trust, and it is another reason why Shibboleth is more than just
> SAML.
>
> Ultimately CAS is simple because everyone trusts CAS and CAS only "trusts"
> the subset of Proxy services that it is configured to deal with. On the
> other hand, Shibboleth has a plugin architecture which is very much Spring
> (only without Spring) and Metadata and Trust are pluggable components. So
> you should be able to reuse part of Shibboleth if you don't reuse the whole
> thing.
>
> Shib does simplify to largely trivial configuration if all the parties are
> part of a single Federation, and that Federation hands out Certificates from
> a central PKI, and maybe it even maintains Metadata in a central directory.
> However, they don't assume such sensible administration in the code.
>
>
>  ------------------------------
>
> *From:* cas-dev-bounces at tp.its.yale.edu [mailto:
> cas-dev-bounces at tp.its.yale.edu] *On Behalf Of *Scott Battaglia
> *Sent:* Friday, September 01, 2006 11:01 AM
> *To:* CAS Developers Mailing List
> *Subject:* [cas-dev] SAML 2.0 experts...
>
>
>
> Is anyone out there a SAML 2.0 expert?  I'm reading the specification for
> the Browser Arifact profile and it talks about using ArtifactResolve and
> from what I can tell it looks like CAS would need to maintain a mapping
> SourceId to URL endpoints for anyone it wants to communicate with.  Is this
> true?
>
> -Scott
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20060901/940d409c/attachment.html

More information about the cas-dev mailing list