Date: Thu, 28 Mar 2024 23:39:16 +0000 (UTC) Message-ID: <1588541262.7205.1711669156798@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7204_2111058444.1711669156795" ------=_Part_7204_2111058444.1711669156795 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Q: Blakley talked about the PDP sending out pull requests for id= entity info and then plugging in all the variables in the policy statement = with facts about the authenticated user and sending back the allow or deny = access decision. Can SAML perform these kinds of operations?
Q: Can SAML behave the way a PDP could behave in initia= ting queries against an IdP? ( This is a question to take back to Shib-dev)=
Q: What are the issues around SP knowing what the= policy is and what attributes the PDP requires?
Q: What about situations where you don't know up front = what attributes you need? (such as with the use case Blakley presents for a= loan issuer. )
Q: How does an SP make an assertion against= an IdP different than the one that initiated the request. I.e. if yo= u have central authorization (e.g. grouper), then the user might sign in fr= om another institution, but the group of people or the privileges they have= for a local application might be stored locally and could be accessed by a= n assertion against the local IdP... is it possible, it is how things shoul= d work, etc? (question from Chris Hyzer)
A: (from Scott Cantor ) If by "assertion" you mean quer=
y, then the Shibboleth SP already includes
simple aggregation by means of a query with a common identifier between th=
e original IdP and the additional one(s). It can handle hardcoded
references, or can follow dynamic references to authorities within a=
ttribute values it gets from the IdP.
That isn't a privacy-appropriate model (it's exactly what I was railing =
against on the educause list), but it's a simple one, and totally
appropriate if the SP and additional sources are co-located anyway (i.e., =
a VO). SWITCH, among others, has built VO platform functionality on it.
The SP could be extended with plugins to query other sources (LDAP, ODBC= ) in a similar manner.
The questions about SAML are essentially misdirected. SAML queries are g= eneric, just like LDAP queries are. You can't ask the question about the st= andard, only specific software.
See: