> I can definitely see the utility of two targeted-to-gss-acceptor-realm (as discussed previously) and targeted-to-coi.
I'm more amenable to that.
> Not sure we're envisioning the COI identifier changing very often - that would require lots of
> changes on IdPs and RPs (changing their TR config to the new COI identifier). So don't see that as an issue.
If the underlying identifier (whichever way that is implemented) is used which may allow the COI's name (display/human-readable name) to change, then all's good.
Of course if someone *deletes* the COI from the portal and recreates it, all bets are off for obvious reasons :-)
Stefan
-----Original Message-----
From: Moonshot community list [mailto:[log in to unmask]] On Behalf Of Rhys Smith
Sent: 22 May 2014 13:39
To: [log in to unmask]
Subject: Re: Attribute filtering / access control with moonshot
On 22 May 2014, at 13:07, Stefan Paetow <[log in to unmask]> wrote:
> The reason why the NAI is not ideal is because it's not anonymous. An anonymous equivalent is more acceptable to those dealing with data protection legislation.
Absolutely. But NAI might be the answer in certain circumstances - but definitely not many.
> I guess there is logic to using RADIUS attributes over a SAML attribute; SAML is extremely wordy, whereas RADIUS will simply use a dictionary to map a set of numbers to names. If we were to go with RADIUS attributes, what RADIUS attributes would we look at?
Exactly. I don't think we want to go beyond these few identifiers as RADIUS attributes since that's what the SAML integration is for. But I can see that it would be useful to gain access to a small set of identifiers in a simpler fashion.
> moonshot-id-targeted-to-realm (similar to CUI)
> moonshot-id-targeted-to-rp (similar to the targeted ID in SAML)
> moonshot-id-targeted-to-coi (similar to the targeted ID in SAML, but
> using COI instead of RP)
I can definitely see the utility of two targeted-to-gss-acceptor-realm (as discussed previously) and targeted-to-coi.
> What if the COI name changes? Should everything reset? Not sure you'd want that to happen!
Not sure we're envisioning the COI identifier changing very often - that would require lots of changes on IdPs and RPs (changing their TR config to the new COI identifier). So don't see that as an issue.
Rhys.
--
Dr Rhys Smith
Identity, Access, and Middleware Specialist Cardiff University & Janet, the UK's research and education network
email: [log in to unmask] / [log in to unmask]
GPG: 0x4638C985
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|