Shibboleth Developers

[Sassa <>]

Olivier Salaün - CRU wrote:

> That would indead be a usefull feature to have a hierachical 
> organization of IdP sites on the WAYF web page. This means that the 
> sites.xml DTD should evolve to store these additional hierarchical 
> informations...
>
> This change to the WAYF GUI is not enough though because in most cases 
> (at least in France), a web resource is not widely opened to all 
> Universities ; it is rather restricted to some "partner" universities. 

I think authentication is separate from authorisation. So I don't think 
it is a problem that a user will be able to pick a site that is not a 
"partner" university and present himself as the member of such 
univesity. Then your SP will decide what attribute acceptance policy to 
use, so attributes from "non-partner" universities will be discarded, 
and the users from those universities will not be able to use the resource.

Moreover, the "non-partner" university may as well have an attribute 
release policy that would not release the relevant attributes to just 
any site - and again no access would be granted to such user.

In addition to that, only a subset of the users from the "partner" 
universities may have the necessary attributes assigned to them. This 
means that you can't keep refining "what sites to show". At some point 
the user will be able to authenticate, and still will not be able to get 
in.

And because Shibboleth is an SSO system, it also means that the user may 
authenticate once, whilst accessing a different site, then his 
authentication token will be used by the "non-partner" university - and 
it has to decide whether the user has the necessary access rights.

What's the problem with authenticating, but not authorising the users?

Maybe I am missing a crucial point of the discussion.


Sassa

> In such situations, the user is not aware of this restriction, it is up 
> to the SP to define this list of IdP sites. You still need to have 
> multiple WAYF services either at the SP level or et a level where it is 
> shared by a group of universities.
>
> Sassa wrote:
>
> > Scott Cantor wrote:
> >
> > > > [...]
> > >
> > >
> > > Exactly, the latter especially. That's my point. Proliferating WAYFs 
> > > is why ultimately the SP has to deal with this.
> >
> >
> > If the problem is that the list is too long, why can't WAYF categorize 
> > the sites, so the user would have two options: look through the whole 
> > list, or tree walk the categories and sub-categories. In essence, WAYF 
> > can be an LDAP browser, and the users choose:
> > [...]