On Thu, 14 Jun 2007, Alistair Young wrote:
> yes, I think it's important to remember that users should not be exposed
> to the current attribute vocabulary. i.e. "do you want to release your
> userRole attribute to this service provider?" will flood the helpdesk with
> "what's my userRole attribute?" questions.
Agreed.
> "Do you want to let the Service Provider know your email address?" is what
> they should be asked and the IdP should do that mapping. But then again,
> IdPs don't know what attributes the SP wants.
True, but my IdP (at least) knows what attributes it's willing to release,
which amounts to the same thing. DPA considerations and UK Federation
rules suggest that I should only release things like ePPN if it's
'necessary' and that means I should evaluate what I release to each SP.
In practise I'm currently planning to release ePITD and ePSA by default to
any SP in the Federation. When someone else wants something else (such as
the two possible values of ePE for the Athens G/W) then that will require
a config change. Quite how onerous this will be depends on what SPs end up
requiring, and we'll only know that once we have a significant number of
real SPs in the Federation.
> Most SPs take a blunderbuss
> approach, getting the IdP to release everything and then sifting to see if
> what has arrived is enough to grant access.
As far as I'm concerned, they can ask for what they want. What I tell them
is up to me.
> Remember that your first name can be transported in any number of
> attributes depending on which SP wants it. So you should be asked about
> your first name, not your
> urn:very:long:urn:eduThingyNeverHeardOfThatAttribute.
>
> The IdP is an attribute babel fish:
> http://en.wikipedia.org/wiki/Babel_fish
True, bit I get to control what, and how, it translates.
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|