Shibboleth Developers

["Diego R. Lopez" <>]

> Such requests are answered by the user's server, not the user's 
> client. This enables us to have some control server-side over a user's
> profile from the SAML perspective. So the chat service pings the 
> user's server, and the user's server replies (using our triumphant but
> yet-to-be-developed SAML-over-XMPP spec). There is no client-side work
> to do at all, no special clients required, everyone can use 
> off-the-shelf Jabber clients and there is no need for
> lockdowns on allowable clients. This is in line with the Jabber Way of
> shunting complexity on to servers and components, thus keeping clients
> as simple as possible.

So that means that it is not necessary to extend Jabber clients with
AA knowledge, but you'll have to do so with servers. Just to use the
scenario of the chat room, what I intended to say in my message was:

1) The chat room is restricted by an authorization rule saying "Only
   members of the Avengers can enter this room"

2) A user (let's say, 
captain.america@marvel)
 try to enter this room

3) The server must use a handle somehow conveyed by the user (from its
   configuration, from the client configuration, in an specific message,
   asking a handle service using the user ID) to contact the
   appropriate Attribute Authority and ask whether Captian America is
   member of the Avengers.

What you say (and I think that's good news) is that most, if not all,
of the effort can be done at the server: plain Jabber clients could do
in this more identity aware world of the future without change. I'm 
going to ask our Jabber-minded guy (Jose-Manuel Macias, who is also in
the list) to look this more deeply: I definitely like the idea.

Best regards,
  

-- 
"Esta vez no fallaremos, Doctor Infierno"
 
Diego R. Lopez

 
RedIRIS
The Spanish NREN
Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------