I have been reading up on using Shibboleth 2.0 as a Single Sign On technique. One confusion I have is whether it is possible for the Identity Provider (IdP) to send back to Service provider (SP) an email attribute that can indicate to the web app exactly Who is logging in.
For example, if user Joe is directed to register (create user/pass, etc) at the IdP with an email joe@acme.com, and my application can uniquely identify joe@acme.com, then can the authentication response from the IdP indicates 1.) yes, this person is who he says he is, and 2.) his email here is joe@acme.com.
It seems like a major advantage of SSO in a Shibboleth federation is that the application does not need to know anything about particular usernames and passwords that Joe chooses at the IdP. Is that true? And, if so, is this a good design, or, what are the risks and considerations of making such a system.
If this is not a good design, what are common alternatives?
In my application, I am behind SSL, and all my person emails are known and unique. Thanks.
Yes, part of authentication is identifying who has just logged in. Shibboleth does provide mechanisms for communicating this back as part of the SAML response.
See https://spaces.internet2.edu/display/SHIB2/FlowsAndConfig#FlowsAndConfig-4.IdPIssuesResponsetoSP for a general description of this part of the conversation. The IdP sends back an "assertion" which includes all the attributes about the person you wish. Shibboleth can send attributes to only certain SP's -- see https://spaces.internet2.edu/display/SHIB2/IdPAddAttributeFilter .