Shibboleth Developers

["Scott Cantor" <>]

> in an ideal world yes but I can't see the OU allowing UHI to pull my
> attributes out.

Well, I was saying that the SP is the entity that should ask for the
additional data it needs, not the second IdP.

> I may not need those OU attributes when I access an SP in
> my UHI guise, so they're a dead weight in the SAML.

Right, but they wouldn't be there. I'm not trying to say we're going to ship
this right away, I'm just trying to look at the right tool for the job.
Juggling multiple accounts and selecting between them ahead of time isn't
necessarily a great user experience.

It might be the right thing in some cases, but rarely both at once with a
single application. And always remember, for me an SP is an application, not
a gateway to 10 applications.

> yes. I've done that for mvnForum, Bodington and Sakai so far. Although
> apps are happy to use auth information dumped in the headers for them,
> they're not so easy to change to get logout to work. They don't "know"
> there's a separate system that must be logged out of too.

Well, I don't see that this has anything to do with the topic at hand, but
FWIW, agent/gateway designs don't make single logout easier, they just
continue to pile on more reimplemented protocols.
 
-- Scott