Development notes on ShibADFS interop...

Request from Resource STS (SP) to Requestor STS (!IdP)

GET/Redirect with query string:

$ wtrealm (providerId): required URI identifying resource realm
$ wreply (shire): optional URL to POST security token back to
$ wctx (target): optional string to be returned with security token
$ wct (time): optional UTC timestamp string, some IdPs can require it, so we should always send it

Response from Requestor STS (!IdP) to Resource STS (SP)

POST with form:

$ wresult (SAMLResponse): Literal encoded RequestSecurityTokenResponse XML fragment
$ wctx (TARGET): optional string returned with security token

Concepts

Incoming SAML attributes are mapped to Organization Claims and then exported to Applications, similar to an AttributeAcceptancePolicy

Uses _LSRealm cookie on the Resource Realm side after successful token response to local STS to cache the Account STS used by the client. Equivalent to the _saml_idp cookie created by SP if IdPHistory is turned on, in that it tracks not discovery selection but successful authentications.

Implementation

$ Proposed URI for protocolSupportEnumeration and Binding attributes: http://schemas.xmlsoap.org/ws/2003/07/secext

Significantly enhanced SessionInitiator plugin to select AssertionConsumerService based on support for profiles consistent with the request (i.e. auto-select an ADFS endpoint when sending an ADFS request). Need revisions to IApplication API to improve the efficiency.

Look at Sun/MS drafts for handling Liberty/WS interop.

Browser not supported