shibboleth-dev - Re: The Grid Use Case
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: The Grid Use Case
- Date: Wed, 31 Oct 2007 16:58:06 +0100
- Organization: SWITCH
We don't have an implementation of the persistent NameID, but it would be easy enough to add. The issue is just whether deployers will actually accept the need for a database in order to use it. To me it doesn't seem like that big of a deal but I know some think it is.
All encryption is done on a per-relying party basis, or per-relying party group (i.e. EntitiesDescriptor).
Tom Scavo wrote:
Thanks for that detailed explanation, Chad. So it seems the
requirements can still be met if the Shib IdP 2.0 supports the SAML
V2.0 persistent NameID. Does it?
Will the IdP sign assertions (not reponses) on a per-SP basis?
Thanks,
Tom
On 10/31/07, Chad La Joie
<>
wrote:
The IdP has two flags that control encryption; one for nameid and one
for assertions. These flags on set on a per-relying party basis. The
IdP will encrypt something iff the flag is set to true and it can
resolved an encryption key for the relying party (nominally this means
the key is in the metadata). If the flag is set to true and no key can
be resolved it's an error condition. If the flag is set to false no
encryption is done.
How exactly we'll indicate attribute encryption still needs some things
worked out. It's possible we may not enable this in 2.0.
Tom Scavo wrote:
On 10/31/07, Chad La Joie--
<>
wrote:
Tom Scavo wrote:Thanks for the reply. The above assertion doesn't expose the user's
1. The IdP asserts an SSO assertion with the following characteristics:Yes. Generally though, I imagine most people will encrypt the assertion
* The assertion is unencrypted
* There is a digital signature on the <Assertion> element
* The <AuthnContext> element distinguishes between two levels of assurance
* The IdP asserts a persistent, non-reassignable identifier (encrypted)
* The assertion may contain non-identity attributes such as ePSA
(unencrypted)
* Can the Shib IdP 2.0 be made to issue such an assertion?
if they're pushing attributes in it.
identity so it seems harmless. In any event, will the Shib IdP 2.0
encrypt the NameID and Attribute elements selectively (i.e., on a
case-by-case basis).
Thanks,
Tom
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- RE: The Grid Use Case, Scott Cantor, 10/31/2007
- Message not available
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- RE: The Grid Use Case, Scott Cantor, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
Archive powered by MHonArc 2.6.16.