Skip to Content.

edugain-discuss - [eduGAIN-discuss] eduGAIN WebSSO profile refers to SAML2int profile that badly needs an update!

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive


[eduGAIN-discuss] eduGAIN WebSSO profile refers to SAML2int profile that badly needs an update!


Chronological Thread 
    < Chronological >      < Thread >
  • From: Thomas Lenggenhager <lenggenhager AT switch.ch>
  • To: edugain-discuss AT lists.geant.org
  • Subject: [eduGAIN-discuss] eduGAIN WebSSO profile refers to SAML2int profile that badly needs an update!
  • Date: Tue, 16 Aug 2016 17:20:37 +0200
  • Organization: SWITCH
The eduGAIN WebSSO profile [1] refers to SAML2int v0.2.

However, the SAML2int v0.2.1 currently online needs an urgent update to reflect the reality with securely deploying SAML.

SAML2int requires the IdP to sign the assertion, however, the default for Shib IdPv3 is to sign the response. Scott well explains in this thread on shib-dev how it happened and why the SAML2int needs an update:
http://shibboleth.net/pipermail/dev/2016-August/008478.html

How can eduGAIN get the SAML2int profile fixed or push the newer federation interoperability profile now at Kantara forward so that eduGAIN finally can refer to profile(s) that support a secure deployment?

In the interim, eduGAIN should make recommendations on how not to endanger interoperability.

Thomas

[1] https://technical.edugain.org/doc/eduGAIN%20SAML%202.0%20WebSSO%20Profile.pdf

--
SWITCH
------
Thomas Lenggenhager, Central Solutions
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 1505 direct +41 44 268 1541
https://www.switch.ch

Archive powered by MHonArc 2.6.19.

Top of Page