Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] Use of Metadata in Delegation Configuration

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] Use of Metadata in Delegation Configuration


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] Use of Metadata in Delegation Configuration
  • Date: Tue, 15 Mar 2011 01:26:41 +0000
  • Accept-language: en-US

> I think it's safe to say that the developers have always known that
> having to set up a special <RelyingParty> config for every delegation
> requesting SP and having to enumerate every possible recipient was going
> to be problematic on anything other than a small scale. At the time,
> however, we didn't have any better ideas on how to make this easier.

I felt like it was a limitation of the configuration schema that we needed to
address in v3, because it's really something that needs a policy layer much
like attribute filters do.

It seems to me that it's a scaling problem *if* you want to tightly control
this, just like it's a scaling problem to handle attribute release per SP (as
most sites already do). I don't think we can avoid the problem by saying that
nobody really needs to limit it...

> An idea that I've been kicking around in my head for a while is using
> metadata to address the second configuration step (which is the one that
> potentially changes more rapidly). In this model the IdP would still
> need to enumerate which SPs were allowed to request a delegated
> assertion. However, instead of looking to the IdP's own configuration
> for a list of SPs that could receive the delegated assertion the IdP
> would look at the requesting SP's metadata.

The problem I have with that model is that I don't think would ever be
anything self-asserted in most federations (who could really decide?), so I'm
not sure this does much to control it. It just limits it to whatever SP
bothers to ask for the ability.

> What do people think of this option of using metadata like this? Is
> this too much trust to place on information that is in metadata? Is the
> explicit list of allowed recipients a policy knob that can't be lived
> without at the IdP?

Personally, I would prefer just making the policy control here pluggable like
the filters are now. If people want to constrain the set of SPs, fine, if
they want it to be wide open, that's fine too. And I could imagine using
entity tags if you *were* to control this via metadata, but as part of a more
generalized approach.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page