Thanks Andy,
> why would I want to do otherwise?
Good question :-) I had it there 'cos it seemed to make sense to restrict sending attributes only to SPs that I know about (or rather the UK Fed knows about) . . . Having said that, I wouldn't worry too much about sending ePTID to unknown SPs, but I'm not sure about ePSA - I only release "member" or "affilitate" by default (how "personal" are these?) - SPs that require more specific ePSAs such as "staff" or "student", or have other specific attribute requirements, will get their own, additional, filter policy (which is what I was actually trying to test via aacli when I bumped up against this bug) . . .
But as Rod says, you could just not specify an anonymous relying party, and then you would know that the SP must be in the UK Fed, so you can release to anyone . . . . But that would prevent basic authentication against unknown relying parties (is that good or bad?) - and is authentication without attributes any use?.
Personally, my feeling is to leave the attribute filter to only release my core attributes to UK Fed SPs (so I don't get caught out by something unforeseen in the future), and leave the anonymous relying party in place, unless there are other arguments to sway me the other way?
Cheers,
Mike
Michael White
eLearning Developer
eLearning Liaison & Development (eLD)
3V3a, Cottrell
University of Stirling
Stirling SCOTLAND
FK9 4LA
Email: [log in to unmask]
Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.is.stir.ac.uk/aboutis/teams/aldt/eld.php
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Andy Swiffin
Sent: 22 April 2010 09:30
To: [log in to unmask]
Subject: Re: aacli.sh and Java Heap Space
>>> On 22/04/2010 at 08:39, in message
<[log in to unmask]>, Michael
White <[log in to unmask]> wrote:
> Oh, thanks Andy,
>
>
> If this is working for you, then there is something going on that I'm
> missing (wouldn't be the first time!) - have I misunderstood this bug? Are
> there circumstances in which aacli will successfully resolve attributes for
> an Entity that is part of an "AttributeRequesterInEntityGroup"?
Ahh - that's probably why it worked for me. I started playing with this before I saw any documentation that mentioned "AttributeRequesterInEntityGroup" (it still doesn't seem to be very clearly documented ) but I do see it now in http://www.ukfederation.org.uk/content/Documents/Setup2IdP:
<PolicyRequirementRule xsi:type="saml:AttributeRequesterInEntityGroup"
groupID="http://ukfederation.org.uk" />
For my default attribute release of ePTID(old and new) ePSA and epA I just have:
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
As documented at https://spaces.internet2.edu/display/SHIB2/IdPAddAttributeFilter why would I want to do otherwise?
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
The University of Dundee is a registered Scottish charity, No: SC015096
--
The Sunday Times Scottish University of the Year 2009/2010
The University of Stirling is a charity registered in Scotland,
number SC 011159.
|