Shibboleth Developers

["Scott Cantor" <>]

> PROPOSAL
> 
> Create a new dynamic attribute, supported by Shibboleth, and called 
> SHIB_EPPN. If an ARP instructed an AA to provide this attribute, the 
> AA would obtain the user's EPPN attribute from their directory 
> object, would strip the RHS and the @, and provide the LHS as the 
> value of SHIB_EPPN.  This attribute would be scoped, like any other 
> Shibboleth attribute, by the value of the SecurityDomain element.

Is this appropriate for current (if any) deployments of EPPN who embed
security realm information that is needed to insure uniqueness?

Maybe the answer is to just ignore EPPN and mandate a new username
attribute that is unique within a security domain as defined by
Shibboleth (as opposed to one defined by eduPerson or a directory). For
most deployments it may be equal to EPPN, and when it's not, leave that
to the site to resolve.

> The SHAR, using its default AAP, would, as usual, ensure that this 
> particular AA can make assertions about this SecurityDomain. And, 
> probably, that the scope equals the org name. (It might also check to 
> ensure that the SHIB_EPPN does NOT contain a @.)

As a general rule, I want the XML parser to enforce the syntax of
attributes. If you want to ban @, then we'll write a schema to define
the username string with the appropriate regexp.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--