Shibboleth Developers

18-24 months ago, we had a quite a bit of discussion about how to 
integrate Shib and portals (or, more specifically, uportal). At that 
time, we stopped the discussion, because 1) the problem is hard, and 
2) it was clear that we wouldn't be addressing this scenario with the 
initial implementation.

Now, we're begun discussions about the next version of Shib, and 
we're once again looking at this question.

So far, in conference calls, we've managed to revisit and tour much 
of the same landscape we explored all those many months  ago. One of 
the popular discussion items is the basic model -- we go round and 
round on whether the portal can cache credentials and attributes  or 
not. Should the portal obtain and hold a superset of all the 
attributes required by the various channels it contains, and pass 
these attributes on to the channels, or  should each channel that 
needs shib attributes make a separate request back  to the AA?

So far, there's been no obvious answer. One recent breakthrough, tho, 
has been to look at this from the trust perspective. And to ask "are 
there channels (applications) that would  not trust the proxy to 
obtain and forward attributes on their behalf?". We can imagine that 
there *might be* intra-domain applications with this constraint; its 
easier to  imagine inter-domain applications with this constraint. 
But, while we can imagine these situations, we also see that 
virtually all current portal deploys do cache credentials, and this 
seems to be  quite  acceptable to campuses. We certainly don't hear 
lots of screams about this.

And, so far, we don't have a concrete use case in front  of us where 
the channel  WILL NOT use forwarded attributes......

Can someone think of one?

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--