Shibboleth Developers

[Tom Scavo <>]

On Wed, 2 Mar 2005 23:48:07 -0500, Scott Cantor 
<>
 wrote:
> 
> > We're not so much interested in the session (since a grid service
> > maintains its own) as we are in the resulting attributes.  We've
> > developed a profile along these lines but it requires us to generate
> > an authn assertion to tap into the ACS, which we'd like to avoid.
> 
> I know, and Booz-Allen just submitted essentially the same profile to the
> SSTC, plus some extra encryption and other weirdness.

Is their submission a public or private matter at this point?  Can we
review their profile?

> > I don't totally understand the comment.  No, we don't need an ACS
> > since we don't necessarily have an authn assertion to consume, but how
> > else do we get attributes short of implementing an AR ourselves?
> 
> It sounded like what you were saying was, you go to the "ACS" with a client
> cert, instead of an assertion, and then that would be like a substitute for
> an assertion containing the subject from the certificate. That would be
> relatively simple to do, assuming you're willing to let the module build a
> session, because that's all the code knows how to do.

Well, that is certainly an option.

> But my point was, you don't really need a special location, if you just
> require SSL across the whole site. Then the session is just the
> authenticated client, and the cache can key off of that and fetch/maintain
> the attributes for it.

Ah, yes, Howard had mentioned that it would be possible to key off the
client cert.

> That seemed reasonable to me because if you're not going to use SSL across
> the site, you're losing virtually every bit of security, and why do that if
> you went through the unbelievable agony of dealing with client certs in the
> first place?

Yes, I see.  Let me take this back to the group and see what they think.

Thanks,
Tom