Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Fri, 25 Jan 2002, Scott Cantor wrote:

> All of this looks good to me with a question remaining about what
> SecurityDomain to put in the assertion subject.

Well, the entirety of the real proposed SAML-based schema (and naming
conventions) remains to be presented, including this issue ...

> My assumption is that it's the name of the origin site and not the
> security domain of, say, the user's EPPN. Even if all the user's
> attributes have to override the scope to be u.washington.edu, I still
> think that's better.

Given that the Name element of NameIdentifier will be (I think we agree)
the handle (in both the Authn and Attr assertions, er, statements), then I
agree that it is the right thing for the SecurityDomain to be the "origin
site", because that is the domain in which the handle (temporarily)
exists; not the security domain of any of that subject's attributes.

> I seem to recall we hit that question on the last call, but I can't
> remember what the point of disagreement was or what I was thinking of
> at the time.

You were thinking correctly at that point (as above), I was not.

> For one thing, if you follow the line of logic at the end of your
> proposal to having two origins issuing attributes in the same domain,
> you can't map back from it to the origin site when you get the
> assertion at the SHIRE. So that would pretty much dictate that it be
> the one, true origin site name.

This is another good reason.

 - RL "Bob"



------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--