WebISO: Web Application Agent (WAA) Questionnaire

Shibboleth
http://shibboleth.internet2.edu/
Prepared by RL "Bob" Morgan, 2003-01-07

1. Model & Capabilities of the Web Authentication Agent (WAA)
   1.1 Which high-level integration model(s) does your WAA support?
   [x] Server module
       [x] Apache 1.3
       [ ] Apache 2.0
       [ ] Java Servlet
       [ ] Microsoft ISAPI
       [ ] Other
   [x] Developer's API
       [x] C/C++
       [ ] Java/JSP
       [ ] Perl
       [ ] Python
       [ ] Other

   1.2 If applicable, describe the method(s) your
	 WebISO solution provides for the WAA to
         handle N-tier (proxied, delegated)
	 authentication (cf
http://middleware.internet2.edu/webiso/docs/draft-lajoie-trust_and_delegation-02.html):

None.

2. Authentication Request
   2.1 Describe the API your WAA provides to Web
       applications to initiate authentication.
       What functions can it invoke? What parameters
       can it pass?

Apache:  Authentication is invoked via protection of directories in
the same style as other Apache authentication modules:  .htaccess file
in the directory, config lines in httpd.conf.  There are no optional
parameters.

C/C++:  Still in progress, but planned to have "invoke session" and
"end session" calls.

   2.2 Describe any other options your WAA provides
       to Web applications to influence the authentication
       process.  For example, can it request the
       technology or policy used to handle authentication?

None.

3. Authentication Delivery
   3.1 Describe the information delivered by your
       WAA to Web applications:

	 3.1.1 What user information is provided to the
          application? What is the format?  How does it
          relate to the identifier presented to the
          verification backend?

The WAA receives user attributes from the origin-site Attribute
Authority (the origin site being the site the user signs in to).
These attributes are completely extensible to meet the needs of
origins and relying applications.  Initial attributes are based on the
eduPerson schema:  EPPN, Affiliation, Entitlement.  EPPN is mapped (in
a configurable way) to the REMOTE_USER variable available in the CGI
environment.  Other attributes are given Shib-defined variable names
in the same CGI style.  The origin site (admins + users) controls
which attributes are sent to the WAA.  In some cases EPPN/REMOTE_USER
may not be sent, based on user/site controls; in this case the webapp
uses other user attributes to make authorization decisions.

       3.1.2 Does the WAA deliver additional user attributes
          (e.g., lookup key value associated with login
           identifier, studentid, group membership)? What is
           the format of this?

See above.

       3.1.3 Can additional information be delivered on request?

The WAA requests user attributes at authentication time.  Currently
there is no support for acquiring attributes in mid-session.

   3.2 Describe the means by which your WAA provides
       authentication information to your application.
       Please be as specific as possible.

Apache:  REMOTE_USER CGI variable.

C/C++:  Attributes to be available via "get_attribute" call of some kind.

4 Authentication Session
  4.1 Briefly describe how authentication session
      information is maintained (if not already covered
      in section 2 above):

The Shib WAA does no session maintenance; this is left up to the
application.  The WAA implements an attribute cache so attributes can
be fetched from the cache on subsequent hits.

  4.2 Is it possible to for an application to set the
      session duration?  If not already covered above,
      please describe:

No.

  4.3 Is it possible to terminate authentication session
      globally? How is that information conveyed to the
      application?

No.

5. Messaging (Weblogin Service (WLS) <-> WAA)
   5.1 Describe the message format used between your
       WAA and weblogin service to request and
       receive authentication information:

Request message from WAA to WLS is simple URL with params to indicate
where client should go after redirection.  Response is SAML
authentication assertion, using SAML POST Profile.

   5.2 Describe the protocol used by the WAA to handle
       the above (e.g. SAML POST Profile):

SAML Web Browser POST Profile.

6. Wish List
   6.1 What changes or additions to the services provided
       by the WAA would you like to see in your system?

C/C++ API needs more development.  Would like to see Java and other
language bindings also.

   6.2 At a high level, what other changes would you like to
       see in your system?

Many, but most are around attribute definition, request, and release.