Problem Statement

• Context-setting diagram

Use Cases

1. User A goes to a wiki tool via an LMS front end.  User B goes directly to the wiki tool:  The first implies support for delegation on both the LMS front-end and the wiki tool. The latter implies a standard web browser SSO mechanism such as protecting the wiki with a Shibboleth SP
2. The reality of applications in the cloud dealing with multi-identity. (Chuck investigating an interface wrapper around the tool.   Make it work with 2 models jvm java tool, or php tool with php hosting environment. 
3. User goes to front end (e.g., portal) that requests data on user's behalf  (server to server)
   1. cf CAS delegated credential.  CAS doesn't work in the federated environment

Solution Possibilities

1. User begins at an unprotected URL and at some point may click on a SAML-protected URL at which point they will be asked to authenticate (lazy session model?).

Other considerations

• Tool needs to understand Global Identity
  • Implies having a unique, persistent identifier for both the IdP and the user; may imply account linking such that a person can authenticate by more than one IdP and still be recognized as the same individual