InCommon Technical Discussions

["Matthew X. Economou" <>]

Eric C. Kool-Brown writes:

> I think I left off one bit of perhaps relevant info regarding the
> second use case of ADFS as the IdP. The ADFS metadata (as a service
> provider) would need to be added to the InCommon aggregate in order to
> be trusted by the other InCommon IdPs. I suppose that ADFS could also
> have IdP metadata added so it could be a full federation partner as
> well. Does anyone on the list know of a federation member that has done
> either of these things?

I've run AD FS both as an InCommon IdP and an InCommon SP, with both as full 
federation partners.  While we solved the metadata consumption, attribute 
scope checking, and discovery UX issues, we encountered lots of little issues 
that required disabling request/assertion encryption or switching between 
SHA-1/SHA-256 on individual CP/RP trusts.  Ultimately, we replaced the IdPs 
with Shibboleth and moved the SPs behind SATOSA.  This works a LOT better, 
which is why I'm willing to use some of my Copious Free Time to help Mr. Adao 
deploy Shibboleth.

Best wishes,
Matthew

-- 
"The lyf so short, the craft so longe to lerne."