On Tue, 17 Apr 2007, Andy Swiffin wrote:
> Jon Warbrick<[log in to unmask]> wrote:
>> One approach is to hash user identifier, SP identifier, IdP identifier,
>> and a secret. The Internet2 reference implementation includes support for
>> doing this out of the box. Opinions vary as to whether it's better to do
>> this on the fly every time (which requires no back-end storage), or to do
>> it once when each tuple is required and store the result.
>
> OK, thanks Jon, so the IdP software can do this kind of stuff for us on
> the fly- this is where I think I'm needing to get my hands dirty and
> actually start looking more closely at the software and what it can do.
>
> If you do the hash once for each SP instance and store it, how is it
> stored, does the IdP refer to a directory multivalued attribute stored
> in some form of key:value pair or something like that?
The Internet2 software only supports hashing on the fly. You can presumably
extend it, given sufficient Java skill, to support only computing the
value once. How you store it is then your problem!
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|