Shibboleth Developers

["Nils Andreas Thommesen" <>]

Thanks a lot for the reply.

| 
| > We'd base the location of the correct UsedDB on the username, which 
| > would have a part that identified the home organization of the user.
| 
| I think this aspect might be a big problem. Leaving aside the 
| question of why I should send my credentials outside of my 
| organization, which might be something you're already doing 
| now anyway, expecting users to properly enter things is 
| usually a potential red flag to me.
| 

What is happening today is that the users already have what we call fully
qualified FEIDE-names, which consist of their (local) user name, supplied by
their home organization, and a FEIDE-realm, which is the part indicating the
home organization, in the format of email-adresses:


| I'd be inclined to say that users should self-select an 
| institution first (much like a WAYF). That's how I've seen 
| similar systems work.

Our current login service has both a drop-down list of possible home
organizations (much like a WAYF), or the user can elect to enter the
complete FEIDE-name. What we would like to do, is to see if we can find some
ways to set up Shibboleth to work in a similar way to what we are doing now.

| It 
| might also be a problem actually figuring out where to go get 
| user attributes. 

We haven't currently seen that as a potential problem, as the
FEIDE-realm-part of the FEIDE-name is uniquely mapped to the correct LDAP
entry points where our login service can find the correct Distinguished Name
for the current user, and with it, any attributes the services have
requested.

I will just mention that I've found out (through the shibboleth-users-list)
that initiatives in the UK and other places around the concept of "Virtual
Organizations", seems like a fruitful way for my further investigations. 

Again, thanks for the reply.

Regards,
Nils A. Thommesen