Shibboleth Developers

["Von Welch" <>]

Making some time to really dig in on thinking about using Shib with
Globus, I was re-reading the Shib architecture document last night
(v05 from May 2002, latest I can find).

I noticed that scattered in a couple places in the document, e.g. in
3.2.3 and 5.6.1.2, there is talk about using certificates (I assume
X.509) instead of a handle in the attribute request (or AQM). But
3.2.3 leads me to believe this has never been standardized on and
hence may not be supported.

Architecturally, how opaque is the Subject field to the SAML AA?
Should the AA match it to the user's principal name (as opposed to a
handle) if both were identical? (I think the answer to this from
reading 5.6.1.2 is "Yes".)

And then of course, how close is the actual 1.0 implementation to that
architectural model?

A follow-on question, assuming it was worked out such that one could
query with an X.509 identity in the AQM, is it possible to set up an
ARP such that a user can always get their own attributes? i.e. a SHAR
== "Self" type of policy.

Hmmm, a more general version of that question is, can the SHAR
identifier in an ARP be something other that a hostname (or wildcard
version there of)? (Both architecturally and 1.0 implemenation.)

Thanks,

Von