Additional N-Tier / Proxy / Delegation Support

Shibboleth currently implements protocols and profiles that address authentication of a user relying on a browser. From the begining of the project, however, there has been interest in SAML's relevance to n-tier use cases. When an SP receives SAML tokens, what, if anything, can it do with them in order to authenticate that user to a backend service? How would it do this? There have been several attempts to define approaches to this problem.

An initial work item for this is listed above and is under development.

Generally (but not always), the proposed solutions involve using SAML, or possibly a non-SAML protocol to allow for a request to the IdP for additional assertions that can remap identities or include new attributes, and then a way to attach the new assertions to whatever protocol the SP is using to communicate with the backend service.

We are seeking a detailed use case, describing the flow, the protocols that would be used, and the toolkits that would be used in the SP and in the backend service to implement this functionality. (This area has not matured to the point where the toolkits can be separated from the protocol stack implementations.)

Some possible use case outlines follow.

  1. Transferring Kerberos tickets from an IdP as attributes
  2. Information Card support for active clients
  3. OAuth
  4. A highly simplified SOAP interface to the IdP to obtain assertions