Shibboleth Developers

["Alistair Young" <>]

> a use case for attribute aggregation
in an ideal world yes but I can't see the OU allowing UHI to pull my
attributes out. I may not need those OU attributes when I access an SP in
my UHI guise, so they're a dead weight in the SAML.

> You just build your own flow locally
yes. I've done that for mvnForum, Bodington and Sakai so far. Although
apps are happy to use auth information dumped in the headers for them,
they're not so easy to change to get logout to work. They don't "know"
there's a separate system that must be logged out of too.

Alistair


-- 
mov eax,1
mov ebx,0
int 80h

>> Can we have support for clearing your selection? For users who have
>> multiple IdPs for the same SP and consequently different levels of
>> access
>> to resources.
>
> Well, that kind of sounds more like a use case for attribute aggregation
> than using a different IdP. Secondly, if the SP knows enough to clear the
> cookie that's nice, but the DS won't know enough to get the user to select
> a
> different IdP than he chose to begin with.
>
> That kind of use case is best handled at the SP, not with a centralized
> WAYF.
>
> Ian's point about this being deployable at an SP is correct, but it
> doesn't
> mention the fact that if you have that kind of situation, you don't
> usually
> need a standard protocol. You just build your own flow locally.
>
> We will have a code base from Rod that people can easily extend to support
> richer exchange if they want to do that, but the protocol itself can stay
> simple.
>
> -- Scott
>
>
>