Shibboleth Developers

[Tom Scavo <>]

On Fri, 25 Mar 2005 18:03:37 -0500, Scott Cantor 
<>
 wrote:
> > That's the use case I have in mind.  Consider LionShare, for example
> > (although GridShib will most likely propose something similar).
> 
> No, that's not push, not in this context. I mean sending attributes with the
> SSO assertion. If you're not using a SSO profile, push isn't involved. You
> may be pushing, but that's not the IdP's perspective. If you're querying,
> that's pull.

Ah, I understand the distinction now, thanks.

> > Some of us (GridShib) would rather
> > not formulate specific attribute queries.  We are looking for
> > alternatives.  (I wonder what LionShare is doing?)
> 
> The only possible reason I can even imagine for not spelling it out is that
> 1.1 doesn't handle value filtering.

Imagine that the grid client asks the AA for attributes and later
pushes those attributes to the grid service.  To do this, the grid
client needs to know what attributes to ask for, so the grid client
first talks to the grid service to find out what attributes are
required.  As a result of this initial exchange, the grid client can
formulate a specific attribute query.

The initial exchange between the grid client and the grid service
might be avoided if the grid client knew the providerId of the grid
service.  In this case, the providerId could somehow be passed to the
AA in the query, the AA could apply the ARP for that grid service and
return only the required attributes.

Do you follow me?

Thanks,
Tom