Shibboleth Developers

[Jim Fox <>]

There is a belief in the shib world that a single internet
domain, e.g. example.edu, can contain within it multiple,
independent targets, e.g., example.edu/team1/ and
example.edu/team2/, toward which different attributes may be
released.  This is a dangerous attitude.

Ultimately it is the browser that defines security boundaries,
through its policies regarding cookie distribution and
access to child page content - in particular its release
of session cookies - and the browser considers the network domain
to be the primary security boundary.  All paths within the
same domain are considered to be, from the browser's perspective,
the same application.  It will quite readily share cookies
and page content among all applications on the same domain.

An origin may attempt to release the PersonPrincipalName
for instance, to example.edu/team1/ but not to example.edu/team2/.
All it's really doing is making it only slightly more difficult
for team2 to get the user's principal name -- because the browser
will not protect team1's session data from the team2 site.

Jim