Skip to Content.
Sympa Menu

shibboleth-dev - RE: Constrained delegation with additional attributes

Subject: Shibboleth Developers

List archive

RE: Constrained delegation with additional attributes


Chronological Thread 
  • From: "Alistair Young" <>
  • To:
  • Cc:
  • Subject: RE: Constrained delegation with additional attributes
  • Date: Wed, 23 Nov 2005 09:27:44 -0000 (GMT)
  • Importance: Normal

> All I know is that the IdP issued an assertion about the person.
ok, seems fair enough but you still need to know where the IdP is, to get
it to disgorge some more attributes.

That's why the AuthorityBinding is so useful in a SecurityTokenReference.
A consumer of such a SOAP header can be told where the IdP is, instead of
having it in metadata.

If AuthorityBinding is deprecated then perhaps the SAML Token profile
needs updated as it's very useful in this case of "metadata push" from IdP
through SPa to SPb.

If SPb has a SAML Subject and the SAML2 equivalent of AuthorityBinding
then it can "loopback" to the IdP, bypassing all relaying SP (SPa etc) to
get attributes it needs.

Perhaps the SAML Token Profile could be updated to use elements from SAML2
Metadata instead of the old SAML1.1 stuff. If, say, an "agent" is roaming
a federation searching on behalf of a user, it's going to need info like
that to get into SPs which have a relationship with it's IdP.

If this sounds feasible we'd be willing to update the profile.

Alistair


--
Alistair Young
Senior Software Engineer
UHI@Sabhal
Mòr Ostaig
Isle of Skye
Scotland

>> > I would think so, why wouldn't it? It's not a question of "home"
>> anyway.
> I
>> > don't know what the relationship of the subject to the issuer is, and
>> I
>> > don't really need to, but if I want to know where somebody's AA is, I
> can
>> > find out any number of ways.
>>
>> Sorry, I'm missing something. If you don't assume the subject and
>> issuer are related, how do you determine the AA endpoint location?
>
> When I said "somebody's AA", I was (badly) referring to the issuer as the
> somebody, not the subject. As in, if I want to know where the AA for
> urn:mace:incommon:osu.edu is, I can use metadata to find it.
>
> My point was just that I don't like attaching labels like "home" to the
> relationship between a subject and an IdP. All I know is that the IdP
> issued
> an assertion about the person.
>
> -- Scott
>
>




Archive powered by MHonArc 2.6.16.

Top of Page