shibboleth-dev - Re: authentication authority
Subject: Shibboleth Developers
List archive
- From: Von Welch <>
- To:
- Subject: Re: authentication authority
- Date: Sun, 9 Oct 2005 12:41:15 -0500
Scott,
Understood.
We've actually considered this both ways for the reasons you give, MyProxy in the same domain as the IdP and MyProxy as a part of a web portal in the SP domain - in order to do delegation (I owe you a use case on that thread too...)
VOn
On Oct 7, 2005, at 8:59 AM, Scott Cantor wrote:
I think you've got it, though I don't understand why you think it
only makes sense if the CA and IdP are in separate domains. From my
perspective bridging mechanisms has the same impact here as domains.
My sequence of steps involved authenticating to MyProxy with SAML. Tom's did
not, it assumed the MyProxy used the same authentication source as the SAML
IdP. That's not feasible unless the MyProxy is in the same domain as the
IdP.
In the former case, while I suppose you could invent a lot of new stuff to
enable use of SAML to authenticate to MyProxy, I don't think anyone would
bother if it shared a domain already with the authentication source.
That's why I think the domains matter.
-- Scott
- Re: authentication authority, (continued)
- Re: authentication authority, Tom Barton, 10/14/2005
- Re: authentication authority, Tom Scavo, 10/14/2005
- RE: authentication authority, Scott Cantor, 10/14/2005
- Re: authentication authority, Tom Scavo, 10/14/2005
- Re: authentication authority, Scott Cantor, 10/14/2005
- Re: authentication authority, Brent Putman, 10/14/2005
- Re: authentication authority, Tom Scavo, 10/14/2005
- RE: authentication authority, Scott Cantor, 10/07/2005
- Re: authentication authority, Tom Scavo, 10/08/2005
- Re: authentication authority, Von Welch, 10/09/2005
Archive powered by MHonArc 2.6.16.