shibboleth-dev - Re: Possible to proxy attribute assertions?
Subject: Shibboleth Developers
List archive
- From: Peter Murray <>
- To:
- Subject: Re: Possible to proxy attribute assertions?
- Date: Sat, 19 Mar 2005 23:23:57 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/19/05 3:48 PM, Scott Cantor wrote:
>>Setting aside for the moment that this does not follow the new world
>>order, is it possible given Shibboleth version 1.3 as we know it now?
>
> It has, in essence, nothing to do with Shibboleth today. Shibboleth
> addresses the use of SAML browser profiles and queries to authenticate and
> exchange attributes between IdP and SP and a client (browser). Anything
> further is outside the scope of Shibboleth. It isn't possible or not
> possible, it's just something else.
One very inelegant option that occurred to me is to have the MSE act as
an IdP in an exchange with the destination SP. In such a role, the
attribute assertions would "pass through" the MSE from the original IdP.
The MSE, then would have to be part of the trust fabric as both an SP
and an IdP -- and in a shared consortial environment perhaps even an
array of IdPs representing different institutions!
This is clearly not the way to go.
Assuming a SP supports Shibboleth and all other things being equal
(federation memberships, etc.), what I'm trying to work out is if it is
possible to leverage the same access control infrastructure that a
client would use to directly access a SP to also control a client's
requests coming through a MSE. After working this through, it seems
like the answer is 'no' -- which comes as a shock because my first
impressions were more along the lines of 'no problem.'
> But I think somebody needs to just do something. I'm with Howard on that
> point.
This has been very helpful -- thank you. The NISO metasearch committees
are meeting next week in Durham, NC, and I'll bring the scope of this
discussion to them to see where we want to go next.
Peter
- --
Peter Murray http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCPPrc4+t4qSfPIHIRAouvAJ9fuZhG/aCHkLj4aNtp88BeL196hACgpFUM
rZ2xJLFun5GMa5LiTbLStXE=
=FmYd
-----END PGP SIGNATURE-----
- Possible to proxy attribute assertions?, Peter Murray, 03/18/2005
- RE: Possible to proxy attribute assertions?, Scott Cantor, 03/18/2005
- Re: Possible to proxy attribute assertions?, Peter Murray, 03/19/2005
- RE: Possible to proxy attribute assertions?, Scott Cantor, 03/19/2005
- Re: Possible to proxy attribute assertions?, Peter Murray, 03/19/2005
- Re: Possible to proxy attribute assertions?, Steven Carmody, 03/20/2005
- RE: Possible to proxy attribute assertions?, Scott Cantor, 03/20/2005
- Re: Possible to proxy attribute assertions?, Peter Murray, 03/20/2005
- Re: Possible to proxy attribute assertions?, Peter Murray, 03/19/2005
- RE: Possible to proxy attribute assertions?, Scott Cantor, 03/19/2005
- Re: Possible to proxy attribute assertions?, Peter Murray, 03/19/2005
- <Possible follow-up(s)>
- RE: Possible to proxy attribute assertions?, Wilcox, Mark, 03/19/2005
- RE: Possible to proxy attribute assertions?, Scott Cantor, 03/18/2005
Archive powered by MHonArc 2.6.16.