Not-so-hypothetically

Chad La Joie lajoie at shibboleth.net
Thu Mar 8 17:59:45 GMT 2012


Hey Keith,

I'm not quite sure what you're asking.  You seem to be suggesting that
passing a given entitlement value through would be bad but that passing
affiliation values isn't.  I'm not sure I see any difference.

If you're interested in a full SAML solution, the answer is fairly easy.
 You delegate through each tier an either the assertion contains
attributes targeted to the SP or the SP queries for them.  Then no one
gets to see data they weren't supposed to.

That said, for something like common-lib-terms, which isn't PII, I don't
know why you couldn't just pass that as long as the receiver trusts the
code sending that value.

On 3/8/12 12:49 PM, Keith Hazelton wrote:
> Bamboo users may access back-end text repositories some of whose access
> policies allow access by anyone with library privileges at their IdP
> institution. The ePEntitlement urn:mace:dir:entitlement:common-lib-terms
> would be ideal, but for three wrinkles:
> 
> 1) The user's SAML session is with a portal-like mid-tier, and there are
> established trust relationships between the mid-tier hosts and the
> back-end services. However, in general, attribute assertions from an IdP to a particular
> SP should not be passed on to arbitrary back-end apps by that
> SP.
> 
> 2) SAML ECP with the mid-tier acting as a SAML Enhanced Client would
> seem a good fit but practically speaking few of the IdPs involved
> support ECP endpoints.
> 
> 3) Relatively few IdPs in the wild assert the ...common-lib-terms
> entitlement.  But most do carry & appropriately release
> ePScopedAffiliation.
> 
> So, not-so-hypothetical question: What should the portal do?  What security 
> objections would be raised against sending the back-end repository
> manager a "library patron" flag derived from IdP-asserted affiliations
> of faculty, staff, student &/or member?
> 
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list