[OGSA-AUTHZ] VO SAML Attribute Profile
Chad La Joie
chad.lajoie at switch.ch
Wed Feb 13 07:29:43 CST 2008
Metadata is not currently self-asserted. So it's not the IdP the
defines its metadata. It's the federation that is ultimately
responsible for it. So, you have a third-party there vouching that the
scope is appropriate for the IdP. So, if you trust that third-party
you're good.
Krzysztof Benedyczak wrote:
> Hi Tom,
>
> Thank you for the comprehensive answer.
>
> Tom Scavo wrote:
>> I don't think you can safely infer scope from entityID. In
>> Shibboleth, all IdP scopes are called out in SAML metadata. The SP
>> consumes the metadata and says to itself "okay, I'll recognize any of
>> the scopes you've listed here, it doesn't matter to me which one you
>> use for a particular response."
> And here is my doubt. You mean that *IdP's* metadata contains the scopes
> which are valid for it? SP process the metadata and later checks if
> assertion from this particular IdP has one of the scopes defined there?
> If so what is the sense of such check, as IdP can put any scope in it's
> metadata (also conflicting with scopes of other IdP)?
>
> Probably after taking the Internet2 lecture on the scopes I wouldn't ask
> this question ;)
>
> Except of this question the rest is now clear for me.
>
> Best regards
> Krzysztof
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie at switch.ch, http://www.switch.ch
More information about the ogsa-authz-wg
mailing list