> I don't think there is technical enforcement of that policy. There
> certainly isn't in the trust-router world unless you do it yourself.
There isn't, no. You are correct.
However, one would reasonably expect that those signing on for a specific set of policies in a COI would be required to abide by them or be ejected from the COI. Must it technically be enforced? That'd be up to the COI owner to decide, correct?
Since an authentication request from me to IdP1 would be direct in the trust router network (i.e. by realm, considering that the GSS-EAP connector ensures that the outer realm matches the inner realm), it would be reasonable to accept that authentications with CUI or the SAML-AAA-Assertion's 'eppn' are only applicable to the users authenticated by IdP1.
If IdP1 defers authentication to another server behind it (i.e. IdP2, which is not part of the trust router network), would that be acceptable to the COI? That would again be a policy decision, wouldn't it?
Stefan
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|