Shibboleth Developers

["Wilcox, Mark" <>]

Title: Re: Possible to proxy attribute assertions?

 

Scott wrote:
 >>So, another way to ask the core I think is this:  "does the metasearch
>>engine, acting as an SP, have enough information to turn around an act
>>as if it were an IdP to the destination SPs?"
>
>> This, as I said, is the easy case, because the IdP is the authority. If the
> >engine is trusted to do this, it makes up whatever it wants, presumably
> >based on what it received.

Peter wrote:
>Correct me if I get this wrong, but I think you intended to say "because
>the MSE is the authority" as you go on to describe how the MSE can, in
>reality, assert anything it wants to the destination SP.

Yes, the MSE could do this - but  here are the problems that brings up:

 

1 - How do you let these other SPs that the MSE is acting as a proxy IdP? For example, the SP might want to have a rule that certain pieces of content is only accessible by identities that are validated by the original IdP.

 

2 - One of the guiding principals of Shibboleth is that the user controls where their attributes are sent. The MSE could potentialy be violating this rule (the Shibboleth Golden Rule if you will)  if it gathered the attributes from the original IdP and sent them on to the other SP without user's consent.

 

Mark