Shibboleth Developers

["Spencer W. Thomas" <>]

Well, since all of our origins have previously signed a license with us,
yes, we know who they are, and they want to link their users to us.  So
that's the set of use cases that I'm dealing with.

If you're providing public access to something like a wiki, then it's a
different matter, I agree.  There are "solutions" that have been
discussed using cross-site scripting and/or webbugs.  These require
prior agreement (not necessarily mutual agreement) on the part of the
IdP and SP or WAYF to use a particular scheme, and require the user to
assent to allowing this potential security risk.  For example, users
with the Firefox plugin NoScript must "opt in" to any cross-site
scripting approach, and potentially need to opt in to web bugs, too (the
default is to allow web bugs, currently). 

Josh Howlett wrote:
> Both of these approaches require prior knowledge, on behalf of either
> the IdP or SP, of their respective constituencies' destinations or
> origins.
>
> These are useful optimisations, to be sure, but I don't personally
> believe that they will scale in deployments where destinations and
> origins are numerous and unpredictable. I suppose whether you care about
> this depends on the scope of your ambitions.
>
> josh.
>
>   

-- 
------------------------------------------------------------------------
Spencer Thomas
Operations Supervisor, JSTOR

 
<mailto:>
+1-734-998-9104

JSTOR is a not-for-profit organization helping the scholarly community
take advantage of advances in technology. Our initial effort -- building
trusted digital archives for scholarship -- provides for the long-term
preservation and access of leading academic journals and scholarly
literature from around the world. Our work is supported by libraries,
scholarly societies, publishers, and foundations.

------------------------------------------------------------------------