Shibboleth Developers

[Scott Cantor <>]

> We never stablished the relationship between the SHAR and Resource.

The arch doc does, though. It's very explicit: a wildcarded SHAR means
there is no resource in the equation, because you haven't been specific
enough about the requester to get that far.

> The way I see it a SHAR of *.edu means if AA is contacted by any 
> shar from edu domain then it should look at the Resource they ask
about.

No, it means you've set a very broad umbrella policy for all edu
requesters, no matter what resource. You can't know what resources go
with what SHARs, in general, and any SHAR could ask about any resource.
   
> Match the resource and answer.  To me SHAR and Resource are
independent.

Not at all, there's a 1:many mapping of SHAR to resources. Resources
live within the umbrella of one SHAR only, and if you have a policy for
that SHAR, you can differentiate by resource (by app domain, actually).

> The fact that this SHAR is marked as "default" is a different thing.
> If no shar is given or no match is found we use the default.

Right, but that's a separate issue.

> To me SHAR is the entity that asks the question and Resource 
> is the subject of the question.

The SHAR is the requester, but it's also part of the "subject" of the
ARP. The SHAR and Resource together make up the subject of a particular
logical policy. If you say "any" or "all of these" in the first part,
you can't then narrow down the second. But if you nail down the first
part exactly, then you can specify the second part in more detail.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--