Hi folks,
are there any best practices for the use of ePSA? The specs have a
tightly controlled vocabulary which applies in the context of the IdP.
However, we're seeing a use case where we'd like to pass values that
are in the context of a mutually agreed affiliation between the IdP
and SP. Basically, the SP would be defining finer grained affiliations
based on resources held by the SP and the IdP would assert
accordingly, e.g. "member allowed to access Resource X". AFAIK
OpenAthens allows you to do this using ePSA, which can be used to
contain user roles that are Athens permission sets, which are
obviously outside the controlled vocabulary of ePSA.
The other way is to define a completely new attribute (OpenAthens
again, userRole) but some SPs might not like that. I don't see a
problem using ePSA to transport custom affiliations but just thought
I'd check with those who know these things.
thanks,
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
|