shibboleth-dev - Re: The Grid Use Case
Subject: Shibboleth Developers
List archive
- From: "Tom Scavo" <>
- To:
- Subject: Re: The Grid Use Case
- Date: Wed, 31 Oct 2007 13:15:53 -0400
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FZo+WZhxWLM1/FNyG7fwnr4CwapyVUsrn1HUIpPRfTwjuk7qJ9jj2cHsdQPucd5e/2YKPj24USb2xjgc2ieEeDlTwaabZ0kUSPtI2fWns0PtFytt0D7NvbpVmUZnTvJwiVFZ+l62MxMfNPqzD5+hcagqJ/PCM5+cMCFwNGcNt3A=
On 10/31/07, Scott Cantor
<>
wrote:
>
> The big problem here is that this is simply a violation of the basic SSO
> profile. The assertions you get cannot be passed to other relying parties
> unless they're decorated in a fashion that permits that to happen.
The nested SSO assertion is not used as an authentication token, but
rather for access control. The RP can verify the signature and check
the conditions (to keep the SP honest), and apply policy to the
AuthnStatement. If the SSO assertion is constructed carefully, there
is no privacy leak. Putting (at most) non-identity attributes in the
nested SSO assertion is equivalent to what the IdP does today in
IdP-first scenarios or for unauthenticated SPs.
Tom
- Re: The Grid Use Case, (continued)
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Chad La Joie, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- RE: The Grid Use Case, Scott Cantor, 10/31/2007
- Message not available
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- RE: The Grid Use Case, Scott Cantor, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- RE: The Grid Use Case, Scott Cantor, 10/31/2007
- Message not available
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
- RE: The Grid Use Case, Scott Cantor, 10/31/2007
- Re: The Grid Use Case, Tom Scavo, 10/31/2007
Archive powered by MHonArc 2.6.16.