OpenSAML user discussion

[Nate Klingenstein <>]

Min,

I don't think that's a complete statement.  There are three categories you might want to use for your mental classification here:

1)  Shibboleth can provide evidence to the SP that the user is a valid member of the community and successfully authenticated.  No information or authorization occurs, and the evidence is used for authentication, in most cases.

2)  In addition to the above, Shibboleth can provide attributes to the SP that describe the user.  These attributes can be passed to the application through header variables, allowing the application to make its own use of them.  One of those uses can be authorization.

3)  Upon receiving the attributes and prior to feeding them through to the application, Shibboleth can enforce its own access control rules through either Apache configuration or a built-in rules engine in the <RequestMap>.

This wiki entry might give you some good examples:

https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent

So, Shibboleth *can* provide authorization if you want; it can also provide the information for the application to perform authorization itself; and it can only deliver authentication information.  Your choice.

Take care,

Nate.

On 3 Oct 2008, at 19:21, Min Lu wrote:

By the way, are you familiar with how Shibboleth in general support Microsoft ASP.NET applications. I know there were efforts in testing Shib compatibility with Active Directory. But Shibboleth really does not have a complete authorization infrastructure, does it? The current implementation is all about federated authentication.