Shibboleth Developers

["Scott Cantor" <>]

> I am frankly uncomfortable not doing this in a more formal 
> way, particularly since we need to build something and 
> because it's a common problem.  I would like to come to some 
> consensus as to how to use the AQHS to represent the state of 
> something not being authenticated by a user authentication. I 
> think this means specifying something additional in the 
> AuthenticationStatement. I am thinking that maybe we can 
> expand AuthenticationMethod  to include the notion of 
> authenticated by entitlement.

SAML doesn't really define it precisely, so we can include whatever
notions we want, basically. I guess we can invent a URN that means
"subject of assertion is sitting at a public workstation and this is
enough for some purposes" and then insure that the properly restricted
set of attributes is associated with the handle.

It's a special case in terms of handling user lookup and so forth in the
AA, but it's not particularly a problem for SAML.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--