Hi Luke,
On 10/07/2013 00:35, "Luke Howard" <[log in to unmask]> wrote:
>>> Also, from a Moonshot standpoint, do we have any plans to implement
>>> anything heavier-weight than what we do now?
>>
>> Well, before we can think about implementation we should think about GSS
>> API methods capable of leveraging the request/response pattern, given an
>> establish GSS context (e.g., to obtain attributes for a principal that
>> weren't provided in the initial context set-up; or to obtain an
>> authorisation decision from a remote PEP after authentication).
>
>I thought the idea was just to use the request/response messages within
>the AAA protocol rather than make an actual SOAP request?
Yes, that's correct. We want to be able to use AAA for the initial
authentication and attributes, but then also subsequently have the ability
to request additional attributes using the AAA channel.
> It would be possible to defer attribute collection until
>gss_get_name_attribute() was called. In theory this would work for one
>way of retrieving attributes via the SSP, but not the way we would want
>to do things going forward (i.e. for Windows 8 claims compatibility).
>
>I'm not exactly sure what you mean by "obtain attributes for a principal
>that wasn't provided in the initial context set-up" -- what kind of
>principal would this be? Are you thinking about attributes for the device
>the user is authenticating from, or something?
Imagine there is an third-party attribute provider, operated by someone
other than the IdP operator, that also has attributes for the user that
the RP would like to supplement the attributes provided by the IdP.
Josh.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|