Shibboleth Developers

[Frank Siebenlist <>]

Scott Cantor wrote:

> > I can see that many deployments will have multiple client machines from 
> > where a user can work. Also in our Grid deployments, there will be many 
> > intermediates that will work on behalf of many users. Furthermore, in 
> > many cases you want to store your policies centrally.
> >    
>
> Whose policy? The SP wants what it wants. The user will or won't be willing
> to release that information. I don't see the need for an ARP at all with
> push, just a UI to say "here's what I'm going to get and send if you don't
> stop me..."
>  

I guess your answer shows how badly I've been able to communicate our 
use cases and how different our deployment model is from the traditional 
Shib usage.

Our clients don't have a UI where the user in real-time can decide about 
their release policy for a certain SP.

Our clients are agents that work independently from the user, which 
requires a user to make up its mind about the attribute release policy 
for SPs before it kicks off any jobs.

I hope you agree that an ARP is needed in those cases, and that it has 
to be maintained "somewhere", where it has to be found, downloaded, 
enforced, and be kept in sync with the ARP on the Shib-AA for those 
cases where the SP can pull the attributes directly.

-Frank.



--
Frank Siebenlist               

The Globus Alliance - Argonne National Laboratory