Shibboleth Developers

[Walter Hoehn <>]

Just to confirm what Scott said here, we are slated to make this a  
configurable option in the 2.0 IdP.  By default, anonymous access  
will be disabled.

-Walter


On Sep 21, 2006, at 6:28 PM, Scott Cantor wrote:

> > What is a concern however is the fact that authentication assertions
> > are still released.  So someone could very easily setup an
> > application and use our IdP to authenticate that user without
> > us ever knowing about it.
>
> You know about it, it's logged as an anonymous provider. By  
> definition you
> don't know who that is, of course, and I doubt we log the requested  
> ACS
> endpoint.
>
> > like we need is not just an "Attribute Release Policy", but rather an
> > "Assertion Release Policy".
>
> That's what endpoint checking is, we just don't have an option to  
> disallow
> unidentified providers from being allowed. It's already going to be  
> added
> per the request of the Swiss among others.
>
> I'd like to note that this basic aspect of SAML deployment (some  
> products
> don't allow anonymous requests) is viewed by some communities as a bad
> thing, because it forces the user to be at the mercy of the IdP  
> when it
> comes to which services to access.