Shibboleth Developers

["Scott Cantor" <>]

> When a (non-browser) grid client requests a proxy certificate, MyProxy
> registers the DN with the Shib authentication authority (with TTL
> equal to that of the proxy cert).  Later, when the grid client
> authenticates to the grid SP, an AuthenticationQuery with an
> X509SubjectName identifier is issued to the authentication authority. 
> In response, the grid SP receives an authentication assertion.  In
> addition, the authentication authority pushes an attribute assertion
> in the response.  (Alternatively, the grid SP could make a separate
> request for attributes at a later time.)

It seems like it suffers from the same basic problem as all the other use
cases I've seen for the query do...why would you do it? If you've already
authenticated to the grid service, why does it need a SAML assertion?

About the only reason I could think of would be to do something with the
AuthnContext feature, so it would be a SAML 2.0 thing, and it would still be
something you could ship as a set of attributes anyway.

There is a lot of downside to SAML separating AuthnStatement from
AttributeStatement. In practice, I think it doesn't work real well, and
that's one reason AuthnQuery always seemed silly to me.

-- Scott