shibboleth-dev - RE: [Shib-Dev] ECP delegation: <PolicyRule type="Delegation" .../> question
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] ECP delegation: <PolicyRule type="Delegation" .../> question
- Date: Wed, 13 Oct 2010 11:28:12 -0400
- Organization: The Ohio State University
> it is not clear to me how to configure a WSP which accept delegated
> assertion from 2 different WSC portals. In particular the "match"
> attribute is not clear...
>
> Does the rule here below mean "accept portal1 or portal2 as delegate" or
> does it build a delegation chain: "portal1 -> portal2 -> wsp" ?
It means the latter. If you just want to list the allowable delegates, you
just take out match (or set it to anyOrder). That doesn't mean "all these
must be delegates", it means "any of these can be delegates, and nothing
else can be".
To do finer grained checking, there's actually a "Delegation" attribute
extractor that I forgot to document. It can pull off the information that's
in the condition and put it into an attribute, with a value for each
delegate.
-- Scott
- [Shib-Dev] ECP delegation: <PolicyRule type="Delegation" .../> question, Valery Tschopp, 10/13/2010
- RE: [Shib-Dev] ECP delegation: <PolicyRule type="Delegation" .../> question, Scott Cantor, 10/13/2010
Archive powered by MHonArc 2.6.16.