Shibboleth Developers

[Walter Hoehn <>]

David L. Wasley wrote:
> > I do agree that the AA is potentially useful outside of the cononical 
> > shib use case, but the problem with this proposal is that not all 
> > identifiers are created equal.  Once the use is no longer anonymous, 
> > you start authenticating directly to the target, and you have no 
> > concept of presence; why not just use ldap?
>
> Simple: access control.  We have to conform to FERPA, user preferences, 
> granularity, etc, etc.  

I'm still not sure I get this.  I'm not necessarily arguing against you, 
just trying to clarify...  Most LDAP servers have access control.  We 
have access control.  Which is better is really just an implementation 
detail, since neither LDAP nor Shib specifies the access control 
mechanisms.  Are you saying "We should use shib for this because we own 
the code and can make it do cool stuff"?

> I would also like to be able to perform 
> configuration-controlled logic to answer compound queries, e.g. is this 
> a 3rd year medical student who has passed xxx qualifying exams?  In 
> made-up meta code
>  answer = (user(year-toward-degree) == 3) && (user(exam_result(xxx) >= 
> "pass");
>  return(answer);

Supporting these types of queries is way out of the scope of the current 
implementation.  You can, however, grab all available attributes and 
perform your own complex evaluation.  Alternatively, if the queries are 
not arbitrary, you can configure the AA to do complex evaluations and 
return the response in the form of a single agreed up on attribute.

-Walter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature