SP registration APIs
cantor.2 at osu.edu
Wed Aug 1 22:43:49 EDT 2018
On 8/1/18, 10:14 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
> Unless you really really need something that allows them to fire up a
> fresh docker container and have it work with your SSO system, but in a
> trustworthy way. Then such tokens might still serve a purpose.
In terms of path of least resistance and what's available out of the box, I would imagine registering a key and a single entityID for customers to deploy on "systems" (where that's defined by some policy you come up with) is about the closest approximation you'd get. It just depends how little granularity you can live with, but of course in reality any SP you have metadata for could proxy a million other SPs without your IdP being any the wiser, so there's nothing stopping it now other than the work it takes.
So I'd suggest considering the use of signed requests for some subset of customers, and that's probably about as good as you'll get without a lot of work. But once you open the box, it's hard to control it, they're going to slam that key on as many systems as they can to avoid dealing with you again. It's a matter of policy I guess.
More information about the users