[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed Enhancement for Dynamic Attribute Queries
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/28/2012 11:08 AM, David Chadwick wrote: > Hi Leif > >>> >>>> If you have a model of an all attribute providing IDP, and an >>>> SP that offers multiple services with different authz >>>> requirements, then you need a feature such as this >> >> No. You need a feature like this if you need to support _dynamic_ >> authz requirements. Supporting authz at all is sufficiently >> difficult for SPs. > > the meta data approach is problematical for at least two reasons > > i) you get a combinatorial explosion of alternatives if each has to > be separately statically specified in the metadata > > ii) at least one well known implementation (SimpleSAMLPHP) only > supports the first metadata entry regardless of how many are > actually present in the metadata. I'm not sure the current way to support this in metadata is good - the notion of an "entity category" that is being discussed in REFEDS is probably better. Also If you need Andreas to do stuff why not just ask him :-) Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9y1ZkACgkQ8Jx8FtbMZnfQ1gCfT6efVhl7JCXEogH4E8U0j7JE Ex0AnjAVpOgVdu6/A8fOWcaC5DIepQJU =6oYo -----END PGP SIGNATURE-----
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]