Anonymous Sessions?

Peter Schober peter.schober at univie.ac.at
Mon Jun 23 09:50:37 EDT 2014


* Jeff Masiello <jmasiello at actionet.com> [2014-06-23 14:33]:
> how is it possible to have an anonymous session that is persistent
> in Shibboleth? Seems like the two contradict.

If by persistent you mean you'd like to recognize a returning subject
over time, then yes, that's not possible without the IDP sending
something by with the SP would recognize a returning subject.

There are data structures (SAML2 persistent NameID) designed to limit
the exposure in such cases, though, giving the SP only a
service-specific pseudonym, i.e. an identifer that will be the same
over time for the same subject using the same service, but that does
not have any meaning (or constitute PII) and will also differ for
services that same subject will be accessing.
Cf. http://macedir.org/specs/eduperson/#eduPersonTargetedID
-peter


More information about the users mailing list