Dear All
Thanks for all of the replies on this. I think this is probably a good time
to launch a new outreach resource from my team, in the form of the Access
Management Blog! We are hoping to use this resource to discuss some of the
more complex issues around federated access management.
http://involve.jisc.ac.uk/wpmu/jam/
On setting up the blog, my very first post was on accountability. This area
is very important for us and we want to get it right. I think some of my
questions have been answered in the posts that we have had over the last few
days, but please see the post here:
http://involve.jisc.ac.uk/wpmu/jam/2007/04/10/the-accountability-question/.
To note, the Federation does not say don't reassign...it says don't reassign
within 24 months. I'd be very interested to hear comments on this time
period.
Finally, section 7.1.3.1 of the technical recommendations for participants
provides some useful information on targeted generation. Again, I'd be
interested in hearing more on whether we should extend the advice in this
section.
I'm currently on site at the UK Serials Group conference and have had some
very interesting, very positive conversations with service providers. More
soon on the Blog!
Nicole
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Jon Warbrick
Sent: 17 April 2007 10:47
To: [log in to unmask]
Subject: Re: Athens resouces on the UK federation
On Tue, 17 Apr 2007, Andy Swiffin wrote:
> Jon Warbrick<[log in to unmask]> wrote:
>> One approach is to hash user identifier, SP identifier, IdP identifier,
>> and a secret. The Internet2 reference implementation includes support for
>> doing this out of the box. Opinions vary as to whether it's better to do
>> this on the fly every time (which requires no back-end storage), or to do
>> it once when each tuple is required and store the result.
>
> OK, thanks Jon, so the IdP software can do this kind of stuff for us on
> the fly- this is where I think I'm needing to get my hands dirty and
> actually start looking more closely at the software and what it can do.
>
> If you do the hash once for each SP instance and store it, how is it
> stored, does the IdP refer to a directory multivalued attribute stored
> in some form of key:value pair or something like that?
The Internet2 software only supports hashing on the fly. You can presumably
extend it, given sufficient Java skill, to support only computing the
value once. How you store it is then your problem!
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
----------------------------------------------------------------------
Anything in this message which does not clearly relate to the official
work of the sender's organisation shall be understood as neither given
nor endorsed by that organisation.
----------------------------------------------------------------------
|