Hi!
I've been asked by Josh to think about how to register the service providers.
When I talk about service providers here, I mean services like an OpenLDAP or a Jabber instance, not what you normally mean by a service provider in a SAML context.
The problem we want to solve is that the IdP might want to have different attribute release policies for these services.
The simplest way to accomplish this is to have the Radius-SP use different entityIDs for different services.
To get this to work a service identifier must be past through to the Radius server.
An identifier doesn't necessarily have to be one attribute-value pair, a set would work equally well as long as it uniquely identifies a service.
This identifier would then be used by the Radius-SP to construct/map to an entityID used in the conversation with the IdP.
In essence the Radius-SP would use different guises dependent on which service it serves.
Given that the above is possible, the next step would be to find a way to register the services and assign entityIDs.
Once that is done a script could be made that constructed the necessary SAML metadata to be fed to the IdP.
Thoughts/comments ?
-- Roland
------------------------------------------------------
Roland Hedberg
IT Architect
ICT Services and System Development (ITS)
Umeå University
SE-901 87 Umeå, Sweden
Phone +46 90 786 68 44
Mobile +46 70 696 68 44
www.its.umu.se
|