shibboleth-dev - Re: [Shib-Dev] Obtaining user attributes from a web form at the time of authentication

Subject: Shibboleth Developers

List archive

From: "Tom Scavo" <>
To:
Subject: Re: [Shib-Dev] Obtaining user attributes from a web form at the time of authentication
Date: Mon, 27 Oct 2008 13:13:31 -0400
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=I0OsQGMRS8szAL+iAlvVlumv1Zsz7JC5tnXhIQKJSoEmgVnjjiI9fO0RBDhWg23tYZ YHBBG8hgrP7bw2MqeOxynlVM5OD9E5xB9sS5b7sLNJ3LYhvqKpv+MnVXOSOC3WfAAsQR I+VKrhsax/A9yQdjv85HZ7bmpbiC43hrSJb04=

On Mon, Oct 27, 2008 at 12:49 PM, Dharam Veer
<>
wrote:
>
> Thanks for this clarification. I am looking at OAuth as per your suggestion
> and it does look interesting. I hope that it has some way to establish trust
> using x509 like SAML.

I'm only an interested bystander (i.e., I have no intimate
understanding of OAuth) but I found these blog entries enlightening:

http://www.hueniverse.com/hueniverse/2007/09/explaining-oaut.html
http://www.hueniverse.com/hueniverse/2007/10/beginners-guide.html
http://www.hueniverse.com/hueniverse/2007/10/beginners-gui-1.html
http://www.hueniverse.com/hueniverse/2008/10/beginners-guide.html
http://www.hueniverse.com/hueniverse/2008/10/beginners-gui-1.html

Sharing of keys is assumed, not specified.

>>> The OASIS SSTC
>>> has discussed the possibility of including attributes in AuthnRequest,
>>> and in fact, this is an action item waiting for someone to write the
>>> profile.
>
> Is there any public link which talks about it ?.

Yes:

http://lists.oasis-open.org/archives/security-services/200805/msg00024.html

Follow the link therein for additional discussion.

Tom

Re: [Shib-Dev] Obtaining user attributes from a web form at the time of authentication, (continued)