 |
 |
Alistair Young wrote: > Is this process of user identification via sessions documented anywhere > in the fed tech docs? Shibboleth doesn't support SAML2 so it would be > nice to know exactly what is meant by talking of session ids that > identify users. This sounds like it's an addition to the Shibboleth > profile that's specific to the uk federation, so it must be documented > somewhere? It may well be that we could clarify the wording in the Rules of Membership. Rhys was quite right about the intention, though: When your IdP sends an authentication assertion to the SP, the subject is identified by a transient opaque name identifier for later reference (for instance, in the attribute query that usually follows). This is the thing that in early Shibboleth was called the handle. What the Rules are asking for in 6.5 is that the identity provider logs sufficient information such that if a service provider comes to you investigating (for example) misuse of their service by one of your users, that you can figure out which user that handle represented. The idea is that this is about user accountability. Users can't be accountable if they are completely anonymous to *everyone*. The compromise here is that they are anonymous to the service provider (known only by an opaque transient handle) but *not to the identity provider*. Does this make the intention clear? If so, do the rules (in retrospect) now make sense, or can you think of a way that we can clarify this? We can make clarifying changes to the technical documents fairly easily; the rules are harder, of course, because they are a legal agreement that many people have already signed. But, in theory, they could be improved too. -- Ian