Shibboleth Developers

At 12:27 PM -0400 9/24/03, Scott Cantor wrote:
>  > Abstracting a bit from the particulars of this use case, it might be
> >  worth considering a model in which a resource manager can initiate a
> >  request for attributes about an already-authenticated user.
> >  Instead of attributes being bound to users by virtue of the authentication
> >  process employed, as occurs in shibboleth v1 because of its focus on the
> >  web browser use case, there would need to be a step in which a resource
> >  manager asks an origin to search for a user identity based upon whatever
> >  authenitcation artifacts it has in hand 
> > (
> >  in Mark's
> >  example). Attributes could only be transmitted if that search
> >  is successful.
>
> There's nothing all that much precluding it, except that the AA currently
> doesn't support multiple mappings of subject identifier to principal.
> Nothing very complex to change, though. But authentication is the real
> problem. How do I convince mod_dav I'm mewilcox?

hmmm... finally a use case for  PKI  (-:

so, I  authn to the webdav server using PKI. Its never heard from me 
before, but, thru the magic of PKI, I'm able to prove my identity.....

and the cert that I  provide contains the info the target would 
supply back  to the AA....

when I saw Tom's initial posting, I  had a different question..  an 
AA will release attributes when presented with a SAML authn assertion 
signed by itself (ie the origin)... assuming I  could authn to the 
webdav server using basic auth.... who would sign the authn assertion 
that has to be presented to the AA?

maybe using PKI, and presenting a cert, would answer this  question, too

and, as Tom noted, interesting overlap with the grid scenario.......

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--