Adding support for the Shibboleth request mapper is something we should
do.
I'm not sure I agree with the discussions about where authorization
belongs. I think that depends on a lot of things:
* How central the policy is
* What infrastructure is available
* What protocols are used (different conventions for Kerberos and
RADIUS)
* Practical considerations (it's difficult for a RADIUS proxy to look at
SAML assertions)
* How fine-grain it is? Per-object decisions almost have to be enforced
at the application.
* Enforcement vs policy expression: I definitely think having central
elements assert local policy to applications is often the right way to
go.
* Whose policy it is: IDP side or SP side
So, I think the decision about where things "should" happen is quite
complex. I think that means we need to give people a lot of tools.
--Sam
|