Tom Scavo wrote:
> On 10/25/05, Josh Howlett <[log in to unmask]> wrote:
>
>>Shibboleth offers a great model for authorisation but
>>stinks at authentication (ie. the WAYF).
>
>
> Actually, Shibboleth doesn't address authentication at all. It
> leverages an existing local authentication service (basic auth,
> pubcookie, etc.) to provide cross-domain single sign-on. Whether this
> is a bug or a feature is arguable.
That was my point, irrespective of whether one considers it a bug or
feature.
The fact remains that there may exist problems in the Shibboleth
universe, such as IDP discovery, that may have solutions in the network
AAA part of the stack (and _vice versa_).
best regards, josh.
ps.
> PS. The WAYF has little to do with this. It is a somewhat mediocre
> solution to the Identity Provider Discovery problem, and has nothing
> to do with authentication.
IMHO it's unfortuante that a "cross-domain single sign-on" technology is
dependent on a "mediocre solution" for the cross-domain bit. In the
particular instance of IDP discovery, it's been solved by RADIUS in
network AAA context for about the last 10 years.
|