Skip to Content.
Sympa Menu

shibboleth-dev - Re: Attribute Queries in Shib 2

Subject: Shibboleth Developers

List archive

Re: Attribute Queries in Shib 2


Chronological Thread 
  • From: "Tom Scavo" <>
  • To:
  • Subject: Re: Attribute Queries in Shib 2
  • Date: Mon, 9 Jul 2007 10:03:51 -0400
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nu0sSspIFzWpuj0Jl0dLsNaF05Ll1ut3UaujqQ/kCDKUyka9J733pp1sO0ZAGnnqOCh8WI3OGDOOTIh3qGGjSEOj6s2BEeR/t8kTnjh4lFzcyfJ7Zi08c06qoWjUeNu5GT+aC2GSqAtkufL9xemtajyn9/XSmGQVI7+/bVZE0J4=
On 7/9/07, Ian Young
<>
wrote:

Most deployers won't ever change the default configuration, so (in my
opinion) it has to be secure under any assumptions about the attributes
used, not just convenient assumptions.

Right, so if an out-of-the-box IdP pushes affiliation and nothing
else, this requirement is met.

If you're an IdP and you're concerned with pushing attributes on the
front channel, and you can't (or won't) do encryption, why not support
a push/pull combination where benign attributes are pushed and more
sensitive attributes are queried on the back channel? If the SP needs
additional attributes, it can query.

Tom

Archive powered by MHonArc 2.6.16.

Top of Page