Burden of Authorization

Alex Olson ako at byu.edu
Thu Dec 18 14:08:58 EST 2014


In Shibboleth/SAML protocol in general, who’s burden is it to determine whether or not principal X should be able to access some service, the IdP’s or the SP’s?

I’d be inclined to think that the IdP is simply the releaser of attributes and the SP has the burden to use those attributes to determine whether or not the principal should be allowed access, but now we are being asked by a vendor to have our IdP bear the burden of authorization. What do you think? Should I push back? Is it even possible to have the IdP bear the burden of authorization?


--
Alex K. Olson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141218/3d4a8aa0/attachment.html 


More information about the users mailing list