Shibboleth Developers

[Thomas Lenggenhager <>]

Scott Cantor wrote:
>> like we need is not just an "Attribute Release Policy", but rather an  
>> "Assertion Release Policy".
> 
> That's what endpoint checking is, we just don't have an option to disallow
> unidentified providers from being allowed. It's already going to be added
> per the request of the Swiss among others.

Thank you, looking forward to deploy it!

> I'd like to note that this basic aspect of SAML deployment (some products
> don't allow anonymous requests) is viewed by some communities as a bad
> thing, because it forces the user to be at the mercy of the IdP when it
> comes to which services to access.

I surely see a reason for that behavior especially for independent IdP
services. For university IdP denying anonymous use seems more likely for me.
Getting an authentication assertion from a university IdP implies that
the user is most likely an academic user, without sending an attribute.
With an independent IdP nothing comparable can be deducted.

Thomas

-- 
Thomas Lenggenhager           http://www.switch.ch/
SWITCH       The Swiss Education & Research Network
Zurich, Switzerland            Tel: +41 44 268 1541