Shibboleth Developers

["Scott Cantor" <>]

> origin-site:  washington.edu
>   security-domain-list:  u.washington.edu

> So, the washington.edu institutional directory publishes 
> EPPNs like 
> ""
>  (yes, it really is "u." 
> for historical reasons, there is no defined "washington.edu" 
> security domain at this point).  The washington.edu AA 
> asserts attributes and values with the semantics:
> 
>   eppn:  local-part="rlmorgan", security-domain="u.washington.edu"
>   affiliation:  local-part="staff", security-domain="u.washington.edu"

All of this looks good to me with a question remaining about what
SecurityDomain to put in the assertion subject. My assumption is that
it's the name of the origin site and not the security domain of, say,
the user's EPPN. Even if all the user's attributes have to override the
scope to be u.washington.edu, I still think that's better.

I seem to recall we hit that question on the last call, but I can't
remember what the point of disagreement was or what I was thinking of at
the time.

For one thing, if you follow the line of logic at the end of your
proposal to having two origins issuing attributes in the same domain,
you can't map back from it to the origin site when you get the assertion
at the SHIRE. So that would pretty much dictate that it be the one, true
origin site name.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--