>>>>> "Cantor," == Cantor, Scott E <[log in to unmask]> writes:
>> Determining who that is is tricky. For gss-eap and krb5 parsing
>> the initiator name and saying the attribute is issued by the
>> realm in question is fine.
Cantor,> I think what I've done provides an appropriate separation
Cantor,> of concerns, but it's left to the mechanism calling me to
Cantor,> set an "issuer" that is outside the SAML domain (or leave
Cantor,> it empty, which is what happens now). I don't want to get
Cantor,> into parsing GSS names in some open-ended (or
Cantor,> mechanism-specific) way inside my library.
Cantor,> There's also a hook now to set a "protocol" string to use
Cantor,> in acquiring SAML metadata for the issuer, and a fallback
Cantor,> to the existing SAML protocol constant when one isn't set,
Cantor,> so I don't have to bake in anything specific to Moonshot or
Cantor,> ABFAB at this point.
How will this work for Apache?
In that context, will mod-auth-gss be in a good position to know what
the issuer is?
|