> But if that's the case, then why are we bothering to make a RADIUS attribute for a targeted-to-rp
> identifier at all when we can just use SAML?
If this is the preferable method for everyone in the ecosystem, then perhaps that's one way we could go.
> I see the main reason as being able to provide an identifier in an easy to get & deal with way in RADIUS
> only, so that people only have to do the SAML bits for more complex attribute/authorisation requirements.
> In which case, having a targeted-to-rp and and a targeted-to-coi radius attribute makes sense to me? (the
> global-id is already there - the user's NAI).
The reason why the NAI is not ideal is because it's not anonymous. An anonymous equivalent is more acceptable to those dealing with data protection legislation.
I guess there is logic to using RADIUS attributes over a SAML attribute; SAML is extremely wordy, whereas RADIUS will simply use a dictionary to map a set of numbers to names. If we were to go with RADIUS attributes, what RADIUS attributes would we look at?
moonshot-id-targeted-to-realm (similar to CUI)
moonshot-id-targeted-to-rp (similar to the targeted ID in SAML)
moonshot-id-targeted-to-coi (similar to the targeted ID in SAML, but using COI instead of RP)
What if the COI name changes? Should everything reset? Not sure you'd want that to happen!
Stefan
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|