> does anyone know of anyone who is doing any work integrating Shibboleth,
> MS CardSpace and OpenID?
There are plans forming to support information cards (including
Microsoft's CardSpace implementation) in the various Shib components.
This work is likely to happen over the next year. The focus is on reusing
Shib's attribute-handling machinery on both IdP and SP.
> I remember at a talk in the Lake District 2 years ago, Ian Young
> explaining how CardSpace (or InfoCard as it was then) could be a
> solution to the WAYF problem but I've heard nothing since. Looking at it
> it seems to me that a Shib IdP could issue a managed infocard to its
> users which a shibb'ed application could then call.
An information card client has a number of benefits, including eliminating
the need for IdP discovery. Taking advantage of those benefits generally
means building support for the WS-Trust protocol, which is not SAML, so
adding more protocol support in Shib components. Shib already supports
SAML 1.x and WS-Federation, and will support SAML 2.0, so it's already
multi-protocol. But every new protocol carries its own integration
requirements.
> Similarly with so many websites now supporting OpenID as Relying Parties
> why can't a Shib IdP also act as an OpenID server?
I've been following OpenID since its earliest days, and am keenly aware of
the recent publicity. But where are the OpenID relying parties of
interest? Beyond leaving blog-comments I haven't seen many yet. Are
there some of interest to you?
> I appreciate that most of the resources protected by OpenID don't
> require the levels of assurance that Shibboleth provides but it is an
> area where a person's University could potentially 'add value' to the
> 'student experience'.
As pointed out, it's pretty easy to do. So easy in fact that users are no
doubt doing it themselves (I heard the students at MIT put up an OP using
MIT credentials). I think ultimately its utility has to do with
interesting questions about the intersection between consumer-oriented
web-based services and higher-education interests. But as regards Shib
there's likely no need to do any integration at this point, you just run
OpenID code in parallel. If OpenID is successful in doing non-trivial
things with attributes that might create an integration opportunity.
> I know at one point there were concerns that CardSpace was a Microsoft
> only solution but with extensions to Firefox 2 now available, a
> commitment to built-in support in Firefox 3 and implementations on
> non-Windows platform from the Higgins Project, it would seem that this
> is the way the world is going.
Microsoft, to their credit (ie, Kim Cameron's credit), has always promoted
the technology as openly implementable, and has helped create a large
community of developers. It is definitely a major step forward in
authentication to web apps. How soon it takes the world by storm remains
to be seen. From my point of view as a promoter of SAML-based federations
(both via my university and via InCommon and the Shib project) the main
thing is providing orderly incremental transition.
- RL "Bob"
|