Burden of Authorization
Cantor, Scott
cantor.2 at osu.edu
Thu Dec 18 14:26:38 EST 2014
On 12/18/14, 7:08 PM, "Alex Olson" <ako at byu.edu> wrote:
>In Shibboleth/SAML protocol in general, who’s burden is it to determine
>whether or not principal X should be able to access some service, the
>IdP’s or the SP’s?
SAML doesn't dictate anything like that. In practice, the owner of the
resources is the only one incented to care. The problem with most cloud
services is that the owner isn't the service. That's why they don't care
and want you to do it.
>Is it even possible to have the IdP bear the burden of authorization?
If you mean technically, no, not out of the box in V2. There are
extensions that do it.
-- Scott
More information about the users
mailing list