Shibboleth Developers

["Scott Cantor" <>]

> Imagine that the grid client asks the AA for attributes and later
> pushes those attributes to the grid service.  To do this, the grid
> client needs to know what attributes to ask for, so the grid client
> first talks to the grid service to find out what attributes are
> required.  As a result of this initial exchange, the grid client can
> formulate a specific attribute query.

Or it could look at the grid service's metadata (be it in SAML form or any
other schema), couldn't it?

> The initial exchange between the grid client and the grid service
> might be avoided if the grid client knew the providerId of the grid
> service.  In this case, the providerId could somehow be passed to the
> AA in the query, the AA could apply the ARP for that grid service and
> return only the required attributes.

The security model is such that I don't think we want to complicate matters
by talking about people asking on behalf of something else. Nor is there any
place to put the service's providerId. Not even in SAML 2.0. It makes more
sense to me that the client would figure out what it needed using the same
mechanism the AA would have to have.

-- Scott