Shibboleth Developers

["Howard Gilbert" <>]

> I think this all fine, but I'm far from convinced that there aren't
> surprises in there for people trying to cut off Microsoft's server from
> their infrastructure. Microsoft doesn't tend to make that easy.

That may have been true in the past, when Microsoft originally designed IIS
based on an Intranet model. The problems became painfully apparent, however,
when people tried to build public Web sites for customers, suppliers, and
other people not in the internal Domain structure. Microsoft appears to have
learned its lesson, but as with everything a new interface needs to be tried
before you depend on it.

> Secondly, is there support in their data model for having arbitrary
> attributes, or just roles? Roles aren't going to be good enough.

No, the GenericPrincipal only has roles, but it isn't "sealed" and in any
event is simply a class that implements the IPrincipal interface. So either
by extension or replacement you could create the ShibbolethPrincipal class
that extends GenericPrincipal and adds attributes. Of course, the
application obtaining the IPrincipal from Thread.CurrentPrincipal would have
to test that it is a ShibbolethPrincipal and then cast it before calling the
getAttribute() method that is specific to ShibbolethPrincipals and is not
part of the more general IPrincipal interface (which only has the inRole()
method).