Shibboleth Developers

[Tom Scavo <>]

On Mon, 28 Mar 2005 11:24:52 -0500, Scott Cantor 
<>
 wrote:
> > Scott suggested that the grid client consume the grid service
> > metadata, which is what I meant when I said the grid client would have
> > to talk to the grid service initially.
> 
> Why? Consuming metadata != talking to service.

I'm going to have to let someone else answer this, but my
understanding is that a grid client is extremely thin and so we can't
assume the metadata is cached on the client side.

> There are some serious firewall implications for clients talking to an AA...

Yes, thanks for pointing this out.

> > Essentially, what we'd like to do is communicate attribute
> > requirements to the AA by reference (not by value).  Since the AA
> > already knows the attribute requirements of the grid service (via
> > ARP), we were hoping to capitalize on that in some way.  Any ideas?
> 
> Well, in 1.1, you could use Resource for this, assuming you identify the
> requester some other way 

I thought the AA keyed off Resource to distinguish queries.  Correct
me if I'm wrong, but Resource is usually the SP providerId.  In the
case where a user is asking for its own attributes, I thought Resource
was a static value indicating the client type (e.g., LionShare).

I suppose it could be semi-static, that is, a static prefix to
indicate GridShib followed by the grid service providerId.  Is this
what you had in mind?

> In 2.0, it's kind of impossible without an extension. This particular use
> case wasn't on the table, and Resource didn't have a well-defined purpose
> once Issuer was added.

Oh well, back to drawing board, I guess. ;-)

Thanks,
Tom