Skip to Content.
Sympa Menu

shibboleth-dev - Re: Shibboleth and Sympa

Subject: Shibboleth Developers

List archive

Re: Shibboleth and Sympa


Chronological Thread 
  • From: Aumont - Comite Reseaux des Universites <>
  • To:
  • Subject: Re: Shibboleth and Sympa
  • Date: Fri, 17 Oct 2003 08:08:37 +0200

Dear Bob,

Here are some more comments about how Sympa (or any mailing list manager) should act with Shib.

We do. SAML authentication statements contain an element that does this.
For example, when authenticating with the UW origin the target gets:

HTTP_SHIB_AUTHENTICATION_METHOD ==
"urn:oasis:names:tc:SAML:1.0:am:password"

Great we will use it in Sympa authorization scenarios process and it will be possible for some operation (mainly listmaster admin operation) to require a particular authentication method (X509).

I'm very surprised ; but maybe I misunderstood you : Are you supposing
that we can't trust email addresses published in home organization's
LDAP directory, ie some email box could not owned by the related user ?
This is the only hypothesis made by Sympa...


You can "trust" them, but you have to understand what they mean. And yes,
my point exactly is that in the general case there is no guarantee that an
email address listed for a user is under the control of that user.

This discussion started because some Shib designer says that users have multiple email addresses and may want to subscribe with "alternate email addresses". Right ? A mailling list server should not allow anyone to subscribe to anylist with an email address which corresponding mailbox is not under his control . Right ? Well, if email attributes herited by Sympa from Shib authentication are unverified email addresses , you will just have to configure Sympa in order to ignore these attributes. Sympa already allows alternate email adresses to be declared by the users. On this opposite, if email attributes herited by Sympa from Shib authentication are verified emails addresses, it will be possible to configure Sympa to accept any of those email addresses for subscription, unsubscription etc.

It's just a matter of Sympa configuration to define what Shib attribute provide a trusted email address.

Serge Aumont

Serge Aumont





Archive powered by MHonArc 2.6.16.

Top of Page