Shibboleth Developers

["David L. Wasley" <>]

At 2:09 PM -0400 on 9/25/03, Walter Hoehn wrote:

> As Scott indicated earlier, an AA can already be configured to 
> answer this type of query (give me the attributes for user 
> "").  A current limitation is that each AA can only 
> "understand" one type of user identifier at a time.  The SAML 
> attribute request format provides a means by which an AA can 
> distinguish among "user identifier formats" and the AA software 
> could, without too much trouble, be extended to handle this.

Cool.

> I do agree that the AA is potentially useful outside of the 
> cononical shib use case, but the problem with this proposal is that 
> not all identifiers are created equal.  Once the use is no longer 
> anonymous, you start authenticating directly to the target, and you 
> have no concept of presence; why not just use ldap?

Simple: access control.  We have to conform to FERPA, user 
preferences, granularity, etc, etc.  I would also like to be able to 
perform configuration-controlled logic to answer compound queries, 
e.g. is this a 3rd year medical student who has passed xxx qualifying 
exams?  In made-up meta code
 answer = (user(year-toward-degree) == 3) && (user(exam_result(xxx) >= 
"pass");
 return(answer);

A simple LDAP access method simply isn't enough.  I think the 
enhanced AA concept - an intelligent, trusted source that can respond 
to a variety of queries and query formats would be extremely useful.

I'm thinking of it as the core of a campus authorization support 
service -- well beyond Shib per se.

        David





------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--