>>> On 24/05/2010 at 18:21, in message <004a01cafb65$7f0c9480$7d25bd80$@com>, Rod
Widdowson <[log in to unmask]> wrote:
>> Unless I'm missing something (and that's entirely possible, and I'd really
>> like it if someone could point out what), the same behaviour would surely
>> be expected of Rod's approach?
>
> Up to a point - if an SP never updates its metadata you are stuffed. But
> with the approach I used the same IdP supports both 'old' and 'new' end
> points.
>
> 1) Add New end points your old IdP.
> IdP is listening on Shib1 & Shib2 end points (but SAML1 only)
Yes, with Rods approach, because its all happening on the same IdP it doesn't matter if you authenticate through a "new style" endpoint but then come along asking for attributes with an "old style" one. My "flaw" was that although I was listening on both sets of endpoints they were different IdPs who knew nothing of each others visitors...
But as Jethro (and others) say, it's really a failure of the SP if the problem continues beyond 24 hours. And during that first period the only SPs affected are those who come through the Federation WAYF.
It was not really a problem for us, few sites were affected and those that were we had workrounds for (go through the session initiator etc), its just that I wanted to be totally protected from someone shooting me in the foot, the problem with feet, though, is that they're such a good target....
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
The University of Dundee is a registered Scottish charity, No: SC015096
|