Shibboleth Developers

["David L. Wasley" <>]

Bob,
-----
At 1:05 AM +0200 on 8/1/05, RL 'Bob' Morgan wrote:

> ....
>
> If we thought this happened a lot, we might think that there needs 
> to be a UI at the IdP for an IdP user to pick an SP and say "forget 
> my current ePTID with this one".  I don't think we need this, 
> though.  I think the "de-federation" support that Scott mentions in 
> SAML 2 would be initiated by UI at the SP (but I could be wrong 
> about that).
>
>  - RL "Bob"

I think "we" need exactly that "UI at the IDP for an IdP user to pick 
an SP and say "forget my current ePTID with this one".  That's one 
small way to achieve at least some level of anonymity, if the User 
cares to.

Clearly there are cases where that would be inappropriate but in 
those cases the SP should not accept an identifier that changes, or 
should have a way of re-establishing the actual association (with the 
User's knowledge).

WRT the SP "de-federating" (defenestrating?) a User, I assume that 
would be the equivalent of closing an account.  Wouldn't the SP 
simply remove the ePTID from their ACL (or whatever) so that it was 
no longer useful?

        David