Shibboleth Developers

*MACE-Shibboleth Design Conference Call*
October 30, 2001

*Participants*

Steven Carmody -- Brown(chair)
Scott Cantor -- OSU
Marlena Erdos -- IBM/Tivoli
Barbara Jensen -- CMU
Bob Morgan -- Washington
Ellen Vaughan -- Internet2
Ron Williams -- IBM/Tivoli
Russell Yount -- CMU
Nate Klingenstein -- Internet2(scribe)

*Discussion*

        The CMU crowd wanted to know the greatest number of attributes the
AA would be required to be able to identify and pass in an implementation.
The group defined this as "not huge," and fixed the number at a maximum of
128 for now.

Partial Responses and Error Handling

        The first aspect of error handling the group considered is the
"completeness" flag which can be used as part of a SAML attribute assertion
and request, where a returned set of attributes can be marked as complete
or incomplete, and a request can be specified as to whether an incomplete
set of attributes should be returned if a complete set is not available.
This is combined with a simple error code system which can be filled with
"Success", "Failure", "Error", and "Unknown".  The group discussed how to
leverage these two fields in order to come up with a sufficient error
handling system for things such as insufficient permissions for some
attributes and delivering this information both to the target and to the
user who had denied the target access to attributes.  Scott significantly
improved Shibboleth's description of its error-handling capabilities in the
third draft.
        The major subtlety is that in some situations there's a success and
a failure both.  There is even some question about what completeness should
mean with Shibboleth's * requests, since the SHAR will always request all
attributes it is entitled to have.  The group eventually agreed that in the
instance that there are some attributes that the AA is unable to retrieve,
"then it's a failure, and it's a failure," in Bob's words.  This avoids the
further confusion of sending a partial set of attributes to the resource
manager and receiving a failure at this juncture.
        Marlena felt slightly uncomfortable with this choice, in part
because this will require failures on time-outs as well, but agreed that it
was a simple and workable solution.  To address the time-out issue, Club
Shibb could agree on an AA timeout period which seemed appropriate.  It was
observed, however, that this hurts people who use unrestricted ARP's
because there would be a much greater chance of timing out.  With multiple
potential data sources and different latencies in these systems, this
failure policy may need to be re-evaluated at some point in the future.
Asynchronous things such as Shibboleth's protocol tend to be very time-out
oriented in general.

Context Establishment

        There was also a protracted discussion of the means to implement a
context establisher and where this ability should be housed in a Shibboleth
implementation.  While this has traditionally been considered to be the
ability of the SHIRE, Ron suggested on the call that this ability could be
considered theoretically separate, even if this would indeed be implemented
in the SHIRE.  This highlights something commonly approached during the
implementation; while the WAYF, SHAR, handle server, etc. are all separate
conceptual bodies, many of these services will be performed by the same
entity in implementation.
        The reasoning this could be separated out is that for cases such as
the client certificate case where the client accesses the target resource
first the context establisher would be largely bypassed.  Client
certificates will not be used in any of the proposed pilot sites, but Bob
reasoned that the "handleness" of the handle is how it's used, and not what
it looks like or how it's generated; something extracted from a certificate
could be used in much the same manner as a traditionally generated handle.

--

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--