Skip to Content.
Sympa Menu

shibboleth-dev - RE: Trust metadata for discussion

Subject: Shibboleth Developers

List archive

RE: Trust metadata for discussion


Chronological Thread 
  • From: Scott Cantor <>
  • To: ,
  • Subject: RE: Trust metadata for discussion
  • Date: Wed, 14 May 2003 11:12:44 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> how would we deal with the situation where osu.edu has to be in both
> groups/federations? (ie you'd like "regular" osu folks to be able to
> access your local targets?)

If there's no overlap in CAs, then the osu.edu origin has to know which key
to use to sign based on the target. The obvious way to
do that is to duplicate the HS and the AA entry points and configuration,
which is trivial with J2EE and Apache.

I see that as a good solution, not a workaround.

> I suppose you could operate a second AA, making assertions on behalf
> of a differently named osu domain. And then include that second
> domain in the osu group.

No need.

> But, suppose you didn't want to do that.. and instead wanted to have
> the osu origin in BOTH incommon and the osu federation.....
>
> how would that affect your target side algorithms?

The target algorithms only apply after a POST. The starting point is the
WAYF, and it will direct the user on behalf of the target
to the right place. If my target trusts InCommon osu.edu but not OSU osu.edu,
then it needs to use a WAYF that will send OSU users
to the InCommon HS URL.

The limitation is that any given target has to know unambiguously which
federation an origin site is in from its point of view. I
don't see that as a big deal. Anything else is just asking for confusion.
Federations are not "per-request-context" and they
shouldn't act like it.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page