> Well, no.
> I get an opaque identifier from the IDP at the RP-side proxy.
> How do I decide whether I should permit that value to go towards the
> RP?
> The RP is likely to have this value on ACLs and the like. I need to
> enforce that no two IDPs can have the same value.
> I know which IDP it's coming from, but we have not proposed a mechanism
> to make this safe to use.
But that's up to the RP to decide what it wants to do, no? I mean, if the RP decides that it's going to add the realm to the end to ensure uniqueness, that's up to the RP to decide, not a technical policy/requirement/mechanism decision (i.e "you must...") by those who manage the infrastructure. Or am I misunderstanding the context here?
Stefan
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|