[OGSA-AUTHZ] VO SAML Attribute Profile
Krzysztof Benedyczak
golbi at mat.uni.torun.pl
Wed Feb 13 07:26:22 CST 2008
Hi Tom,
Thank you for the comprehensive answer.
Tom Scavo wrote:
> I don't think you can safely infer scope from entityID. In
> Shibboleth, all IdP scopes are called out in SAML metadata. The SP
> consumes the metadata and says to itself "okay, I'll recognize any of
> the scopes you've listed here, it doesn't matter to me which one you
> use for a particular response."
And here is my doubt. You mean that *IdP's* metadata contains the scopes
which are valid for it? SP process the metadata and later checks if
assertion from this particular IdP has one of the scopes defined there?
If so what is the sense of such check, as IdP can put any scope in it's
metadata (also conflicting with scopes of other IdP)?
Probably after taking the Internet2 lecture on the scopes I wouldn't ask
this question ;)
Except of this question the rest is now clear for me.
Best regards
Krzysztof
More information about the ogsa-authz-wg
mailing list