Shibboleth Developers

[Will Norris <>]

We run a fairly restrictive environment here at USC when it comes to  
directory data access, hence our desire for ARP Constraints.  One of  
the things that has recently been questioned is anonymous use of our  
Identity Provider.  That is, what can a service provider get without  
us adding them to our IdP metadata?  Our ARPs are configured to  
release no attributes to anonymous SPs, so that is not an issue.   
What is a concern however is the fact that authentication assertions  
are still released.  So someone could very easily setup an  
application and use our IdP to authenticate that user without us ever  
knowing about it.  Granted, they would know absolutely nothing about  
the user other than the fact that they were able to authenticate to  
our IdP, but we really don't even want to allow that.  What it seems  
like we need is not just an "Attribute Release Policy", but rather an  
"Assertion Release Policy".  This would take the idea of constraints  
one step farther than it is right now.  Our primary use case would be  
"if the user logging in doesn't have a specific entitlement, bail out  
of the Shib flow altogether and display an error message".

I know there are a number of technical considerations to this and  
haven't completely thought through how this would actually be  
implemented, but I wanted to bring it up anyway.  Has anyone else  
ever had similar concerns?  Does this seem like a reasonable  
concern?  Does this sound like something that may be more easily  
addressed in Shib2 with the planned changes to the ARP structure?

-will

Attachment: smime.p7s
Description: S/MIME cryptographic signature