Shibboleth Developers

[Ian Young <>]

Walter Hoehn wrote:

> > As an alternative to proper authentication, though, it would be 
> > possible to just pass an additional header, or a query parameter.  The 
> > only downside I can think of is that random people could ask for your 
> > metadata, but I don't think I worry about that.  After all, the 
> > current model is to stick a file up on a web site, which is not 
> > exactly private.
>
> To my mind, this becomes much more of an issue than it is now if folks 
> begin to encode IdP-specific attribute requirements into the metadata.

I admit I hadn't been thinking in terms of metadata varying 
partner-by-partner, more community-by-community.  So, yes, if people 
went down that route then you might need to do real authentication 
because you might want to keep that whole thing private.

It's hard to see that you'd be able to get metadata at that level of 
granularity signed by a third party, though, at which point I'm not sure 
how you'd persuade yourself to believe any of it.  Help me out here?

        -- Ian