Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Support for WS Federation protocol in edugain

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Support for WS Federation protocol in edugain


Chronological Thread 
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] Support for WS Federation protocol in edugain
  • Date: Fri, 15 May 2020 18:59:27 +0200
  • Organization: ACOnet

* Peter Schober <peter.schober AT univie.ac.at> [2020-05-15 17:30]:
> That doesn't mean that wide-scale real-world usage of WS-* on top of
> SAML-centric federations will just work, though. E.g. there are good
> reasons to filter out stuff that MS-ADFS expects to find in SAML 2.0
> Metadata for non-SAML use and I know of a few federations (mine
> included) that started doing just that in order to protect their SAML
> protocol-using members from potential breakage.
> (I can provide pointers if you're interested in that particular
> tangent, even though this is not related to eduGAIN policy.)

To close off that loop, too:
https://lists.geant.org/sympa/arc/edugain-discuss/2014-11/msg00031.html

Find the explanation for all of that below, in the words of a much
wiser man I cannot attribute this to due to REFEDS FOG rules:

> The reason for this rather harsh treatment is that RoleDescriptor is
> one of the very few places in the SAML schema which doesn't allow
> for lax validation. That means that if you republish this construct
> to your customers, if ANY of them schema-validate, that validation
> will fail unless they have the specific schema available. Put
> another way, anyone who is already validating and doesn't have the
> schema will find that their validation will fail if any of these
> appear in the aggregate.

Cheers,
-peter



Archive powered by MHonArc 2.6.19.

Top of Page