Shibboleth Developers

["Tom Dopirak" <>]

All,

 I finally went back and read last Decembers thread on how to support
library workstations in shibboleth. This is the situation where no user
is available to authenticate but the actual physical location of the
origin denotes some authentication.

 David Wasley suggested that the HS figure out that the workstation is
in the library ( perhaps by IP address) and write a special handle that
is recognized by the AA. Thus the AA can release whatever is appropriate
for that workstation , e.g. member of community.

I am frankly uncomfortable not doing this in a more formal way,
particularly since we need to build something and because it's a common
problem.  I would like to come to some consensus as to how to use the
AQHS to represent the state of something not being authenticated by a
user authentication. I think this means specifying something additional
in the AuthenticationStatement. I am thinking that maybe we can expand
AuthenticationMethod  to include the notion of authenticated by
entitlement.

And this is a dumb idea because...


Tom

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--