Hi Josh, Rafa,
I'm guessing that this is one of the reasons why there is currently a restriction that the RP can only belong to one COI at any one time (whereas IdPs are free to belong to any number of COIs), so that the trust router can correctly establish which COI is being used.
Stefan
-----Original Message-----
From: Moonshot community list [mailto:[log in to unmask]] On Behalf Of Josh Howlett
Sent: 29 May 2014 09:48
To: [log in to unmask]
Subject: Re: Attribute filtering / access control with moonshot
> And the user belongs to IdP-1 and engages in authentication with RP-1
> , RP-1 will know it has to choose CoI-X or CoI-Y so I guess under
> "your" policy the RP will choose CoI-Y. However, if my understanding
> is correct the purpose of CoI-X might be different than CoI-Y so
> selecting one or the other change somehow the purpose of the access.
I think that's why, at least initially, we should work on the basis that the CoI is implicit in the service that the user has selected. That way there is no ambiguity about which CoI should be "in play". Namespace is cheap...
Josh.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|