Skip to Content.
Sympa Menu

shibboleth-dev - [Shib-Dev] Use of Metadata in Delegation Configuration

Subject: Shibboleth Developers

List archive

[Shib-Dev] Use of Metadata in Delegation Configuration


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: [Shib-Dev] Use of Metadata in Delegation Configuration
  • Date: Mon, 14 Mar 2011 16:18:12 -0400
  • Organization: Itumi, LLC
One thing that I've been hearing from folks that are testing the IdP
delegation extension in a federation environment (this is less of an
issue within a single campus) is that the configuration doesn't scale
well. As a recap, you have to configure two things for the delegation
extension:
- the fact that a particular relying party can requested a delegated
assertion
- to whom a particular relying party can given the delegated assertion

I think it's safe to say that the developers have always known that
having to set up a special <RelyingParty> config for every delegation
requesting SP and having to enumerate every possible recipient was going
to be problematic on anything other than a small scale. At the time,
however, we didn't have any better ideas on how to make this easier.

An idea that I've been kicking around in my head for a while is using
metadata to address the second configuration step (which is the one that
potentially changes more rapidly). In this model the IdP would still
need to enumerate which SPs were allowed to request a delegated
assertion. However, instead of looking to the IdP's own configuration
for a list of SPs that could receive the delegated assertion the IdP
would look at the requesting SP's metadata.

This would have the benefit of only having to put the list of SPs to
which a requesting SP can delegate in to one place (instead of having to
ask every participating IdP to change their config). So that helps with
the scaling problem. The draw back is that the IdP can no longer place
constraints on the recipient of the delegated assertion and instead has
to trust the metadata.

What do people think of this option of using metadata like this? Is
this too much trust to place on information that is in metadata? Is the
explicit list of allowed recipients a policy knob that can't be lived
without at the IdP?

P.S. There is no drafted definition for a metadata extension like the
one I'm discussing here. This is just some initial thinking on my part.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Archive powered by MHonArc 2.6.16.

Top of Page