School me on hub and spoke federations

Mike Flynn shibbolethlynda at yahoo.com
Tue May 14 10:57:15 EDT 2013 

So, basically, there is no standard for this?  I do see the home org attribute you spoke of:

http://macedir.org/ontologies/attribute/2012-11-10/attributeOntologyDoc/schachomeorganization.html




________________________________
 From: Leif Johansson <leifj at sunet.se>
To: users at shibboleth.net 
Sent: Tuesday, May 14, 2013 7:23 AM
Subject: Re: School me on hub and spoke federations
 


On 05/14/2013 04:19 PM, Mike Flynn wrote:

OK, since I will have to identify the organization through an attribute instead of the entityID, what is an appropriate attribute for doing this that would be reasonable for the hub and spoke based institutions to support?
>
>
There is a scope thing (not the shibboleth extension by that name) inside the 
AuthnRequest. Some support that. Others - especially those in
    R&E space - 
use schacHomeOrganization set to the domain of the org.

        Cheers Leif



>________________________________
> From: Tom Scavo <trscavo at gmail.com>
>To: Shib Users <users at shibboleth.net> 
>Sent: Monday, May 13, 2013 2:29 PM
>Subject: Re: School me on hub and spoke federations
> 
>
>On Mon, May 13, 2013 at 5:04 PM, Leif Johansson <leifj at sunet.se> wrote:
>>
>> However (as with any name-constraints-scheme) the
              more
>> scopes you have on a single IdP the higher the risk
              of
>> anything going wrong.
>
>Yes, I found one hub-and-spoke federation that had 256
              scopes on its
>IdP Proxy. Clearly scoped attributes (such as
              eduPersonPrincipalName)
>are not compatible with hub-and-spoke federations.
>
>Let me put it another way. In a full mesh federation, the
              scope helps
>prevent one IdP from asserting arbitrary identities. In a
>hub-and-spoke federation, the IdP Proxy is All-Powerful in
              that it can
>assert any identity it wants. Indeed, the IdP Proxy is a
              single point
>of compromise.
>
>Tom
>--
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>
>
>
>
>--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130514/6bc937b9/attachment.html

More information about the users mailing list