shibboleth-dev - Re: comments: draft-mace-shibboleth-arch-protocols-02

Subject: Shibboleth Developers

List archive

Re: comments: draft-mace-shibboleth-arch-protocols-02

From: "Alistair Young" <>
To: "Tom Scavo" <>
Cc: "Scott Cantor" <>,
Subject: Re: comments: draft-mace-shibboleth-arch-protocols-02
Date: Mon, 22 Nov 2004 11:59:22 -0000 (GMT)
Importance: Normal

Hi Tom,
I'm not really following the virtual student scenario. I don't know if SIS
users are fully qualified, most probably not and I doubt if any VLEs are
directly linked to an SIS.
I was taking the lack of a domain qualifier on an ID as being in the
"default" domain - i.e. a local student who doesn't use shibb to gain
access to the VLE.
The only time an ID is qualified, is if it's coming from another
institution. In that case, the account is created at authorisation time in
the VLE with a domain qualifier.
The VLE shouldn't know anything about the remote SIS at that other domain.
Rather, an info gathering agent will tie that ID to it's "origin" info
when requested to do so.
To the VLE, the ID is just another ID but with a domain suffix on it, e.g.

and any additional info it requires to create an account,
such as full name, email etc.
Remember, the domain qualified ID is not an email address - it just looks
like one :)
Alistair

--
Alistair Young
Senior Software Engineer
UHI@Sabhal
Mòr Ostaig
Isle of Skye
Scotland

> On Thu, 18 Nov 2004 08:41:52 -0000 (GMT), Alistair Young
> <>
> wrote:
>>
>> In the VLE, we have to avoid namespace clashes. There may already be a
>> joebloggs user account locally. All VLEs have local user databases
>> AFAIK.
>> So
>>
>> would mark the user as external and coming in via
>> shib.
>> If they didn't, they'd continually get "invalid password" errors from
>> the
>> VLE as it thinks they're local.
>
> This is what I was referring to yesterday. The "local user database"
> feeds off an administrative student information system. If the
> usernames are fully qualified in SIS, then they're fully qualified in
> the VLE and all is well.
>
> It is important that each student be represented in SIS, both students
> and virtual students. Otherwise there's no way for the institution to
> keep track of who's taking what courses, and this information is
> crucial for accounting and auditing purposes (i.e., it often
> translates into $$$ for the institution).
>
> Cheers,
> Tom
>

Re: comments: draft-mace-shibboleth-arch-protocols-02, (continued)
- Re: comments: draft-mace-shibboleth-arch-protocols-02, Tom Scavo, 11/17/2004
  - Re: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/17/2004
    - Re: comments: draft-mace-shibboleth-arch-protocols-02, Tom Scavo, 11/17/2004
      - RE: comments: draft-mace-shibboleth-arch-protocols-02, Scott Cantor, 11/17/2004
      - Re: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/17/2004
    - RE: comments: draft-mace-shibboleth-arch-protocols-02, Scott Cantor, 11/17/2004
      - RE: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/17/2004
        
        RE: comments: draft-mace-shibboleth-arch-protocols-02, Scott Cantor, 11/17/2004
        
        RE: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/18/2004
        
        Re: comments: draft-mace-shibboleth-arch-protocols-02, Tom Scavo, 11/18/2004
        Re: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/22/2004
        Re: comments: draft-mace-shibboleth-arch-protocols-02, Tom Scavo, 11/22/2004
        Re: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/22/2004
        Re: comments: draft-mace-shibboleth-arch-protocols-02, Tom Scavo, 11/22/2004
        
        RE: comments: draft-mace-shibboleth-arch-protocols-02, Scott Cantor, 11/22/2004
        RE: comments: draft-mace-shibboleth-arch-protocols-02, Alistair Young, 11/22/2004

List archive

Re: comments: draft-mace-shibboleth-arch-protocols-02