On 26/05/2014 15:36, Sam Hartman wrote:
>>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>
> >> P.D: However if the RP is allowed to belong to different CoIs
> >> then when a user requests the access I was wondering how the RP
> >> selects the appropriate CoI.
>
> Stefan> Rafa, that's a good question… i.e. if RP and IdP are each
> Stefan> part of two TR COIs, wouldn't the most restrictive apply (in
> Stefan> terms of most restrictive, I mean the smallest TR COI that
> Stefan> matches both RP and IdP)?
>
> No, the RP proxy chooses which COI applies.
>
> They may have non-overlapping attribute release policies or other things
> that would make intersection and other set operators applied
> automatically inappropriate.
I would have thought it more appropriate for the user to choose (either
directly, or indirectly via the selected resource). I dont see how the
RP proxy can know what the user wants to do, unless it is implicit in
the workflow or chosen resource
David
>
> --Sam
>
|