preventing attribute release for a class of users
Liam Hoekenga
liamr at umich.edu
Thu Sep 15 15:22:58 BST 2011
>> Here's my situation. Our shib installation uses our campus SSO for
>> authentication. Our campus sso has a guest account system. We don't
>> want our guests getting out into the wild appearing to InCommon SPs as
>> "real" UMich users.
>
> Then don't assert member@
Some of our commercial vendors only check for valid authentications
from our entityID. These are places that really should be checking
for affiliation or entitlements, but assume that anyone who can
authentication is ok.
There's concern that we would be in breach of contract with such
providers if we let our guests access those resources, hence my desire
to limit guest account assertions to local SPs.
Liam
More information about the users
mailing list