Shibboleth Developers

["Alistair Young" <>]

I see clearer now, thanks to you both. I understand Scott's idea of SPa
asking the IdP to release encrypted attributes for SPb. So potentially SPa
could be extracting n sets of encrypted attributes for the SPb...n that it
knows it may talk to.

That could be a lot of attributes that may not be needed and could expire
depending on an IdP's SP policy but it allows SPa to forward the encrypted
attributes to SPb, SPc, SPn when those SPs are invoked. In this case, SPb
- SPn are web services and not traditional shibb SPs, so we're using the
WS-Security SAML Token Profile 1.1 (which I found!).

The alternative is SPa only gets it's own attributes and when contacting
SPb, passes on the SAML Subject and SPb uses this to get attributes for
that Subject specific to SPb. A SAML loopback profile if you like. SPb
loops back to the IdP with the Subject it got from SPa.

SAML Token Profile still has AuthorityBinding in it (it seems). I agree
this is SAML2 and we'll be building a SAML2 implementation. Of which
scenario, delegation or loopback, not sure yet but open to opinions from
those who know.

Many thanks,

Alistair


-- 
Alistair Young
Senior Software Engineer
UHI@Sabhal
 Mòr Ostaig
Isle of Skye
Scotland

> On 11/22/05, Alistair Young 
> <>
>  wrote:
>>
>> What I'm not sure about is whether a SAML Subject, issued by an IdP is
>> SP
>> specific, i.e. would the AA release attributes to the VFS based on a
>> SAML
>> Subject it originally issued to the VLE?
>
> To answer your question directly, no, a name identifier is not
> SP-specific.  It could be, I suppose, but AFAIK there is no
> implementation of NameIdentifierMapping that takes into account the
> requesting SP.
>
> Tom
>