guanxi athens news
Wed, Jun 22, 2005
Guanxi::IdP 1.2 has successfully interacted with the Eduserve Athens-Shibboleth test gateway. It threw up a couple of interesting points:
Athens required that we turn on client authentication on the Attribute Authority, rather than just relying on SSL alone. It’s a good thing to do in general but it raises other problems. The SSO can’t now be on the same port as the AA as turning on client authentication for a port will refuse all connections from clients whose certificates are not in that port’s trust store. Doing this to the SSO stops it working entirely as browsers access the SSO and no user’s browser has a certificate to offer. Even if they did, it’s obviously not scaleable! So, the AA had to move to another port. Not a problem in itself, it’s just that you need to open that new port through your firewall and as we saw at the JISC Middleware event in Loughborough it’s pretty difficult to get firewalls open if you’re demoing. Hopefully all this may be sorted when the trust system moves up to the message layer.
Multi-federation support. Guanxi 1.1 didn’t support being in more than one federation. 1.2 does and we used it to good effect to get access to Athens.