>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>> P.D: However if the RP is allowed to belong to different CoIs
>> then when a user requests the access I was wondering how the RP
>> selects the appropriate CoI.
Stefan> Rafa, that's a good question… i.e. if RP and IdP are each
Stefan> part of two TR COIs, wouldn't the most restrictive apply (in
Stefan> terms of most restrictive, I mean the smallest TR COI that
Stefan> matches both RP and IdP)?
No, the RP proxy chooses which COI applies.
They may have non-overlapping attribute release policies or other things
that would make intersection and other set operators applied
automatically inappropriate.
--Sam
|