Shibboleth Developers

[Kristof BAJNOK <>]

On Friday 19 March 2010 12.16.40 Chad La Joie wrote:
> At this time, the consent engine is a strictly front-channel thing.

Yes, I'm aware of that, that's why I'm asking about the future plans. ;)

Seriously, I can imagine some filtering rule that could check the uApprove 
database and throw an exception if user consent is needed. The uApprove 
could then process this, display the consent screen (or fail on back-
channel) and redo the whole attribute resolution and filtering on success.

Of course, this would be an architectural change in at least uApprove (and 
probably in the filtering part), but I think, it would be far less hackish 
than the current one. When you speak about integration, this is what I think 
it should mean.

Why I'm coming up with this is because our federation is undergoing a wide 
privacy analysis. If I can't promise that the back-channel privacy thing 
will be handled at some time, I'd be forced to remove the AA endpoints from 
the metadata. Therefore progressing towards persistent nameids would be 
pointless.

Kristof