Shibboleth Developers

[Alistair Young <>]

We've been having a wee think here about bypassing the WAYF, if  
possible, using IP matching. The idea is an SP takes the IP address  
from the HTTP headers and does a lookup to see if it can decide  
automatically where the IdP is.

Well, realistically, the SP will forward the IP address to the WAYF  
which will do the lookup and forward the SAML Request to the matched  
IdP, thus bypassing a potentially massive list of IdPs.

The philosophical question raised though, is this behaviour ethical  
within a Shibboleth environment? In my case, my IP address can be  
used to identify me as it's unique, e.g. it's one of my attributes.  
An attribute over which I have no control as it's not in any IdP ARP.  
The SP would just take it without my knowledge/agreement.

It would be less intrusive if the IP was a NAT but the ethical  
question is still there.

It's an easy way of scaling down the WAYF a bit but subject to the  
usual (IP may not be available, internet cafe won't work etc). These  
technical qestions are trivial.

What I'm really interested in is peoples' views on gathering non ARP  
regulated attributes such as IP address.

ta,
Alistair