On Wed, 23 Apr 2008, Fiona Culloch wrote:
>> We have a shibboleth application which only needs to be accessible by
>> HE & FE institutions due to copyright issues. It seems the UK federation
>> includes schools, HE, FE and research.
> [...] it might be possible to persuade the federation operator to
> mark IdP entities based on whether their users are HE, FE, etc.,
Surely this would only be useful if such marking was defined to qualify
ePSA values of 'member' (or something similar) asserted by each IdP? This
would allow a restriction of "accessible by people who are _members of_ HE
& FE institutions" to be implemented, which is presumably what's actually
wanted (institutions don't access applications, people do). To make access
control decisions based only on the a classification of the IdP that
identifies someone seems dangerous and a retrograde step.
In any case, given the ever increasing complexity in this field, isn't it
overly simplistic to assume that IdPs (or presumably their operators) can
be accurately and exclusively classified into 'HE', FE', 'School', etc? If
we wanted to go down this route (and I can see it could be useful), would
it not be better for IdPs to assert an attribute value for appropriate
users that carries a meaning of something like "is undertaking HE" (etc.)
and for 'HE use only' to be implemented by reference to that?
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|