preventing attribute release for a class of users

Cantor, Scott cantor.2 at
Thu Sep 15 15:34:51 BST 2011

On 9/15/11 10:22 AM, "Liam Hoekenga" <liamr at> wrote:
>Some of our commercial vendors only check for valid authentications
>from our entityID.  These are places that really should be checking
>for affiliation or entitlements, but assume that anyone who can
>authentication is ok.

That's their problem, not yours. It is a mistake to allow such services to
dictate your authentication practices. That way lies total madness.

>There's concern that we would be in breach of contract with such
>providers if we let our guests access those resources, hence my desire
>to limit guest account assertions to local SPs.

It is not your job to force others to enforce their own policies.

How can you be in breach of contract for fulfilling your obligations and
providing the data you promise to provide accurately?

What about other users who aren't supposed to have access to those
resources? Retirees? Graduated students?

But to be clear, what you suggested won't work. You asked if you could
prevent attribute release for those users. Sure, but so what? You've
already authenticated them and you just said that the services only care
about authentication. So it's authentication you have to block, not the

-- Scott

More information about the users mailing list