Shibboleth Developers

[Scott Cantor <>]

> how would we deal  with the situation where osu.edu has to be in both 
> groups/federations? (ie you'd like "regular" osu folks to be able to 
> access your local targets?)

If there's no overlap in CAs, then the osu.edu origin has to know which key 
to use to sign based on the target. The obvious way to
do that is to duplicate the HS and the AA entry points and configuration, 
which is trivial with J2EE and Apache.

I see that as a good solution, not a workaround.

> I suppose you could operate a second AA,  making assertions on behalf 
> of a differently named osu domain. And then include that second 
> domain in the osu group.

No need.

> But, suppose you didn't want to do that.. and instead wanted to have 
> the osu origin in BOTH incommon and the osu federation.....
> 
> how would that affect your target side algorithms?

The target algorithms only apply after a POST. The starting point is the 
WAYF, and it will direct the user on behalf of the target
to the right place. If my target trusts InCommon osu.edu but not OSU osu.edu, 
then it needs to use a WAYF that will send OSU users
to the InCommon HS URL.

The limitation is that any given target has to know unambiguously which 
federation an origin site is in from its point of view. I
don't see that as a big deal. Anything else is just asking for confusion. 
Federations are not "per-request-context" and they
shouldn't act like it.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--