Shibboleth Developers

[Scott Cantor <>]

> Whereas the UC campus Handle Server interface needs to understand 
> this credential, the AA interface (currently) only understands the 
> HS-generated handle.  Clearly SMOP but ...
> 
> The same person's EPPN might be 
> ""
>  and I would 
> assume that a query to the AA for attributes based on this EPPN would 
> be straight forward.

Sure, but why would I know the EPPN from looking at your cert? Same problem.

> I suppose we could assume that a campus run AA could be programmed to 
> accept a campus generated cert full SubjectName as a query key.  At 
> UC, all we'd need is the CN= but we I don't think we can assume this 
> would be true everywhere.

The AA can do just about any of that with a plugin, but I think the target
shouldn't have to make a lot of decisions about it. That's why sending the
whole cert always seemed attractive to me even if you still wanted to do
path validation at the target.

-- Scott