Shibboleth Developers

["Cantor, Scott E." <>]

On 3/17/11 10:20 AM, "Tom Zeller" 
<>
 wrote:
>I am interested in an ldap interface to the attribute resolver. While
>probably no one in their right mind would position the IdP as a
>directory, an ldap interface might allow an IdP to act as a backend to
>a real directory, such as openldap or apache ds v2. A read-only ldap
>interface (search) might be possible and I think similar to SAML
>attribute requests ?

Actually, the likely overlap between an LDAP interface and the features in
SAML are things we don't support much, if at all, like filtering
attributes or values from the request side.

And of course LDAP lets you "search", whereas the IdP really can only
lookup via a key that is resolved from a SAML Subject.

>I am also interested in an external authorization manager, something
>like a XACML PDP, as an attribute filterer.

Given the challenges we've had trying to figure out how XACML could work
as a filtering policy language, and more recently as a possibly way to
handle metadata-based consent (we talked about that in Edinburgh at the
dev F2F), it would be interesting work to have somebody explore it.

-- Scott