>>>>> "Scott" == Scott Cantor <[log in to unmask]> writes:
>> This creates a significant new requirement on the AAA core. It's
>> a requirement that JANET(UK) would not have trouble meeting, but
>> I think it limits the authorization and personalization aspects
>> of Moonshot significantly. Also, I think it significantly
>> decreases the incremental deployability of Moonshot in some
>> contexts: to connect two Moonshot cliques into a connect graph,
>> you need to get SAML metadata connectivity as well as AAA
>> connectivity.
Scott> I'm not clear on how you get the same assurances with regard
Scott> to IdPs and SPs without simply turning the AAA connectivity
Scott> requirements into SAML requirements.
You don't. What I want to make sure happens is that you get something
as good as you would have gotten if we dumped attributes directly in
RADIUS, you don't claim to have something stronger than you have and you
don't prevent people who want something stronger from getting it.
Scott> For example, many Shibboleth SPs rely on, and some put a lot
Scott> of stock in, the ability to filter information they get based
Scott> on information that's in the third party metadata.
Can you give some more concrete examples to help me?
Scott> Another
Scott> example is the (admittedly US-centric) demand for LOA
Scott> certifications in metadata.
You basically would not get this with ASM unless AAA picks it up.
Scott> I suppose I'm coming at this from the other end, but for me,
Scott> the AAA connectivity is a much bigger issue in terms of
Scott> scaling and deployment than SAML is. A lot of sites either
Scott> don't have RADIUS, or more likely, they have it, but it's
Scott> operated by people that are not going to be interested in
Scott> meeting the needs of federated applications. The SAML part
Scott> doesn't require that level of organizational buy-in at the
Scott> technical level (though it tends to at the policy/legal
Scott> level).
I'm honestly not sure how RADIUS requires more technical buy-in than
SAML. However at one level it doesn't matter. My position is that we
need to pick one base infrastructure and build everything on that. We
seem to have picked AAA. I'm not making any claim about whether AAA or
some other choice (including SAML) maximizes deployment in this
discussion. I'm claiming though that having picked our base
infrastructure, we need to make it work with that.
--Sam
|