preventing attribute release for a class of users

Liam Hoekenga liamr at
Thu Sep 15 15:22:58 BST 2011

>> Here's my situation.  Our shib installation uses our campus SSO for
>> authentication.  Our campus sso has a guest account system.  We don't
>> want our guests getting out into the wild appearing to InCommon SPs as
>> "real" UMich users.
> Then don't assert member@

Some of our commercial vendors only check for valid authentications  
from our entityID.  These are places that really should be checking  
for affiliation or entitlements, but assume that anyone who can  
authentication is ok.

There's concern that we would be in breach of contract with such  
providers if we let our guests access those resources, hence my desire  
to limit guest account assertions to local SPs.


More information about the users mailing list