>>> On 02/12/2009 at 10:28, in message
<[log in to unmask]>, Adrian Barker
<[log in to unmask]> wrote:
> On our local 1.3 SP, the ePTID appears in a different form for
> Shibboleth 1.3 and Shibboleth 2.0:
> HTTP_SHIB_TARGETEDID: [log in to unmask]
> and
> HTTP_SHIB_TARGETEDID:
> https://shib-idp.ucl.ac.uk/shibboleth!https://sp.wasdev-a.ucl-0.ucl.ac.uk/sh
> ibboleth!j6M6lC9EqOSYHGmW7dYE/vEaZS0=
>
> so is there a setting on the SP that needs changing ?
This is an important point.
I expect V1 SPs will continue just the same as before and will talk saml 1 to the new IdP and will get the old deprecated form of eptidhash@scope just like you can see I got from target.iay. Business as usual.
But what about V2 SPs? I'm assuming that when they see my new shiny V2 IdP they'll say "at last Dundee join the 20th century (sic) I'm going to talk SAML 2 with them"
and they'll get the new (proper) form of ePTID. They will then unpack that but will pass up to the application the same identity they did when they talked SAML1??
The bottom line is that users personalisations will not be lost when that SP talks SAML2 to me rather than SAML1?
Please tell me this is so ?!
I have done some playing with a toy SP here and switched the preference between SAML1 and SAML2 against the V2 IdP and looked at what ended up in the Apache environment and this certainly seemed to be the case......
yours hopefully
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|