On 18/04/2013, at 6:44 PM, Paul Millar <[log in to unmask]> wrote:
> * which agent contacts the group-IdPs: the RP (directly
> SAML query, another RADIUS query) or one of the RADIUS
> servers (if so, which one?)
My understanding is that this is implementation dependent. Most typically the SAML assertion and/or RADIUS attributes will be updated by AAAs on the path between the RP and the user's home IdP.
Others, please correct me if I am wrong.
> * how is trust handled? (how does the RP know that the
> group-IdP is to be trusted?)
Using the existing AAA trust mechanisms (RADIUS/Diameter).
> This is interested, but doesn't affect dCache: we have our own pluggable identity management system, so don't depend on the underlying OS for authentication or authorisation.
So, maybe you can use the claims directly instead of mapping them to UIDs/GIDs? Or, if you to map them to a machine readable name, you can use a hierarchical ID that is more easily federated? (Like Windows SIDs.)
-- Luke
|