shibboleth-dev - RE: OS X info, webDAV use case
Subject: Shibboleth Developers
List archive
- From: Scott Cantor <>
- To: "'David L. Wasley'" <>
- Cc:
- Subject: RE: OS X info, webDAV use case
- Date: Wed, 24 Sep 2003 17:49:41 -0400
- Importance: Normal
- Organization: The Ohio State University
> Actually, this scenario was anticipated early on but was not central
> to the initial Shib design. Clearly the AA can be a generalized
> "authorization" server speaking with authority about subjects it
> "knows." I would love to see this capability added (soon?
> eventually?).
Well, it more or less can do this now, if you configure it with a plaintext
handle provider. That's just a vanilla SAML AA.
> 1) What protocol? Clearly it could support (conceptually) anything
> from "whois" to a fully qualified LDAP query. In light of SAML/SOAP
> however, I would encourage a protocol that would support that
> methodology.
Right, and we're not building OpenLDAP here, the coolness of Walter's
resolver notwithstanding.
> 2) What information can be requested? Current Shib AA implementation
> doesn't look at query parameters (as I understand it) but merely
> responds with whatever it is willing to release to the identified
> target.
We support attribute queries that specify the attributes to be returned. But
all SAML subject queries leave how you match the subject against your local
account data unspecified.
> Perhaps a query parameter definition is needed so that a
> requester could ask, for example, for a PKI certificate associated
> with an email address, or ask for an email address associated with a
> public key, or ...
I believe the right approach is to support multiple SAML subject formats
(X.500 DN, emailAddress, etc) at the same time.
> 3) What information might/should be released? The SHIB AA rules are
> roughly "release only public information to an unknown requester" and
> only designated information to a known target. Hence, any
> server/"interested party" could send a query to the AA, presumably
> with some content that would identify a single record in its DB, and
> the AA would respond appropriately. The requester would identify
> itself with a PKI certificate, as it does within Shib.
I agree, but I think it's valuable to include user presence as a policy
component for release.
-- Scott
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- RE: OS X info, webDAV use case, (continued)
- RE: OS X info, webDAV use case, Scott Cantor, 09/24/2003
- Re: OS X info, webDAV use case, Tom Barton, 09/25/2003
- Re: OS X info, webDAV use case, Steven_Carmody, 09/25/2003
- RE: OS X info, webDAV use case, David L. Wasley, 09/24/2003
- RE: OS X info, webDAV use case, Scott Cantor, 09/24/2003
- RE: OS X info, webDAV use case, David L. Wasley, 09/24/2003
- RE: OS X info, webDAV use case, Scott Cantor, 09/25/2003
- RE: OS X info, webDAV use case, David L. Wasley, 09/25/2003
- RE: OS X info, webDAV use case, Scott Cantor, 09/24/2003
- Re: OS X info, webDAV use case, Walter Hoehn, 09/25/2003
- RE: OS X info, webDAV use case, Scott Cantor, 09/25/2003
- Re: OS X info, webDAV use case, David L. Wasley, 09/25/2003
- Re: OS X info, webDAV use case, Michael R Gettes, 09/25/2003
- Re: OS X info, webDAV use case, Walter Hoehn, 09/25/2003
- RE: OS X info, webDAV use case, Scott Cantor, 09/25/2003
- Re: OS X info, webDAV use case, Diego R. Lopez, 09/26/2003
- RE: OS X info, webDAV use case, Scott Cantor, 09/24/2003
- RE: OS X info, webDAV use case, Steven_Carmody, 09/24/2003
Archive powered by MHonArc 2.6.16.