Not-so-hypothetically

Keith Hazelton hazelton at doit.wisc.edu
Thu Mar 8 18:05:18 GMT 2012 

On Thu, 2012-03-08 at 12:59 -0500, Chad La Joie wrote:
> Hey Keith,
> 
> I'm not quite sure what you're asking.  You seem to be suggesting that
> passing a given entitlement value through would be bad but that passing
> affiliation values isn't.  I'm not sure I see any difference.
> 
> If you're interested in a full SAML solution, the answer is fairly easy.
>  You delegate through each tier an either the assertion contains
> attributes targeted to the SP or the SP queries for them.  Then no one
> gets to see data they weren't supposed to.

But that's ECP, right? and too few IdPs support ECP endpoints for our
case.  Or is there a non-ECP way to do this?

> 
> That said, for something like common-lib-terms, which isn't PII, I don't
> know why you couldn't just pass that as long as the receiver trusts the
> code sending that value.

Seems ok to me. That's why I'm asking the list.

       --Keith

> 
> On 3/8/12 12:49 PM, Keith Hazelton wrote:
> > Bamboo users may access back-end text repositories some of whose access
> > policies allow access by anyone with library privileges at their IdP
> > institution. The ePEntitlement urn:mace:dir:entitlement:common-lib-terms
> > would be ideal, but for three wrinkles:
> > 
> > 1) The user's SAML session is with a portal-like mid-tier, and there are
> > established trust relationships between the mid-tier hosts and the
> > back-end services. However, in general, attribute assertions from an IdP to a particular
> > SP should not be passed on to arbitrary back-end apps by that
> > SP.
> > 
> > 2) SAML ECP with the mid-tier acting as a SAML Enhanced Client would
> > seem a good fit but practically speaking few of the IdPs involved
> > support ECP endpoints.
> > 
> > 3) Relatively few IdPs in the wild assert the ...common-lib-terms
> > entitlement.  But most do carry & appropriately release
> > ePScopedAffiliation.
> > 
> > So, not-so-hypothetical question: What should the portal do?  What security 
> > objections would be raised against sending the back-end repository
> > manager a "library patron" flag derived from IdP-asserted affiliations
> > of faculty, staff, student &/or member?
> > 
> > 
> > 
> > --
> > To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list