shibboleth-dev - RE: ARP and Attributes
Subject: Shibboleth Developers
List archive
- From: Parviz Dousti <>
- To: Scott Cantor <>, "'Shibboleth Design Team'" <>
- Subject: RE: ARP and Attributes
- Date: Fri, 14 Jun 2002 09:19:35 -0400
What the heck I am talking about ?!! ...
There is NO wildcarding in shar (the way it is implemented). Shar either matches exacly or "default" shar is used. That is it.
What I meant to say was we never established how shar is releated to the hostname of the resource. Would there be a config file to map them? etc.
I chenged the admin ARP to the following so there would be no confusion.
ARP: admin(admin)
SHAR: no.other.match(default)
URL: *.internet2.edu [edu, internet2, *]
eduPersonAffiliation
eduPersonPrincipalName
URL: *.edu [edu, *]
eduPersonAffiliation
Sorry for the confusion,
Parviz
--On Thursday, June 13, 2002 4:29 PM -0400 Scott Cantor <> wrote:
We never stablished the relationship between the SHAR and Resource.
The arch doc does, though. It's very explicit: a wildcarded SHAR means
there is no resource in the equation, because you haven't been specific
enough about the requester to get that far.
The way I see it a SHAR of *.edu means if AA is contacted by anyabout.
shar from edu domain then it should look at the Resource they ask
No, it means you've set a very broad umbrella policy for all edu
requesters, no matter what resource. You can't know what resources go
with what SHARs, in general, and any SHAR could ask about any resource.
Match the resource and answer. To me SHAR and Resource areindependent.
Not at all, there's a 1:many mapping of SHAR to resources. Resources
live within the umbrella of one SHAR only, and if you have a policy for
that SHAR, you can differentiate by resource (by app domain, actually).
The fact that this SHAR is marked as "default" is a different thing.
If no shar is given or no match is found we use the default.
Right, but that's a separate issue.
To me SHAR is the entity that asks the question and Resource
is the subject of the question.
The SHAR is the requester, but it's also part of the "subject" of the
ARP. The SHAR and Resource together make up the subject of a particular
logical policy. If you say "any" or "all of these" in the first part,
you can't then narrow down the second. But if you nail down the first
part exactly, then you can specify the second part in more detail.
-- Scott
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- Tomcat reinstall, Scott Cantor, 06/13/2002
- ARP and Attributes, Parviz Dousti, 06/13/2002
- RE: ARP and Attributes, Scott Cantor, 06/13/2002
- RE: ARP and Attributes, Scott Cantor, 06/13/2002
- RE: ARP and Attributes, Parviz Dousti, 06/13/2002
- RE: ARP and Attributes, Scott Cantor, 06/13/2002
- RE: ARP and Attributes, Parviz Dousti, 06/14/2002
- RE: ARP and Attributes, Scott Cantor, 06/14/2002
- RE: ARP and Attributes, Parviz Dousti, 06/14/2002
- RE: ARP and Attributes, Scott Cantor, 06/13/2002
- RE: ARP and Attributes, Scott Cantor, 06/13/2002
- RE: ARP and Attributes, Scott Cantor, 06/13/2002
- ARP and Attributes, Parviz Dousti, 06/13/2002
Archive powered by MHonArc 2.6.16.