[gridshib-user] Some questions about GridShib
trscavo at gmail.com
Thu Sep 18 10:33:31 CDT 2008
On Thu, Sep 18, 2008 at 11:22 AM, Von Welch <vwelch at uiuc.edu> wrote:
> The GS-CA is really just a Shibboleth-protected application. It
> doesn't get into any of the SAML exchange. I would suspect that if
> it breaks, it will be because of changes in the way Shib 2.0
> interacts with applications rather than any change in the SAML
> profile (granted those could be related).
I can think of at least two possible gotchas:
1. The Shib1 SP exposes attributes and other security information via
HTTP header variables, whereas Shib2 uses CGI environment variables
instead. I understand that Shib2 can be configured to use header
variables like Shib1, but I'm not aware of anyone that's actually done
that. Also, the variable names themselves have most likely changed.
2. The Shib1 SP exposes the raw attribute assertion via a header
variable (like any other attribute) but Shib2 employs a simple HTTP
GET mechanism to retrieve any assertion passed to the SP.
Those are the first things that come to mind that might impact the use
of the Shib2 SP with the GridShib CA.
More information about the gridshib-user