Shibboleth Developers

[Thomas Lenggenhager <>]

In use case #1 (no pseudonymity) in point 6c it reads:
  AA validates that the Service has the right to ask about the given
  Subject. (This seems to mesh with Note #2 in the LionShare prfile.)

In my understanding, that implies that each shibbolized Grid service
needs to be listed in the user specific ARP. Otherwise, if a shibbolized
Grid service would be configured in the site ARP, that service could try
to retrieve attributes from users who never tried to access that Grid
service since there is no opaque handle involved in this transaction
which normally protects from misuse.

Provided I understood that correctly, explicitely stating that could help
in understanding the process better.

The same implicit statement is in use case #2 point 9.

Will it be required to configure LionShare services in the user ARPs as
well for the same reason?

Shibbolizing Grid and LionShare services that way would require the
availability of end-user tools with which a user would be able to
configure his/her user specific ARP easily.

Thomas