Shibboleth Developers

[Scott Cantor <>]

> Abstracting a bit from the particulars of this use case, it might be 
> worth considering a model in which a resource manager can initiate a 
> request for attributes about an already-authenticated user. 
> Instead of attributes being bound to users by virtue of the authentication
> process employed, as occurs in shibboleth v1 because of its focus on the
> web browser use case, there would need to be a step in which a resource 
> manager asks an origin to search for a user identity based upon whatever 
> authenitcation artifacts it has in hand 
> (
>  in Mark's 
> example). Attributes could only be transmitted if that search 
> is successful.

There's nothing all that much precluding it, except that the AA currently
doesn't support multiple mappings of subject identifier to principal.
Nothing very complex to change, though. But authentication is the real
problem. How do I convince mod_dav I'm mewilcox?

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--