El 22/05/14 16:34, Rhys Smith escribió:
> On 22 May 2014, at 15:25, Gabriel López <[log in to unmask]> wrote:
>
>>> So then services would look for:
>>> 1) User-Name; if not present look at
>>> 2) moonshot-tr-coi-targetedid; if not present look at
>>> 3) moonshot-tr-realm-targetedid; if not present then
>>> 4) user is anonymous (identifier-less).
>>
>>
>> Making use of 1), 3) or 4) can gives the service this kind of CUI-like
>> attribute we are looking for, but I still see CoI like a more generic
>> authorization information, something like group, role, entitlement, etc,
>> etc..... and I would expect this in something like the SAML sentence.
>
> For 2), I’m thinking of cases where the Community might be, say, a HPC consortium, and they want a consistent, but pseudonymous, identifier across all of the RPs in their particular - a mixture of SSH servers and web servers). So that is certainly an identifier for the user, and not more generic authorisation information. So I think there’s a definite set of use cases for all of those.
>
I see your use case,
If you want to make use of this value just for identification that's ok,
but if you want to specify something like "If the user belongs to
hash(coi)@idp then ..." then I suppose we are talking about
authorization ....
regards, Gabi.
> Fully agree that anything more generic like group/role/entitlement etc should be done in SAML.
>
> Rhys.
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: [log in to unmask] / [log in to unmask]
> GPG: 0x4638C985
>
--
--------------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: [log in to unmask]
|