Re: Minutes of 24 April 2001 Focus telecon

[Marlena Erdos <marlena@us.ibm.com>]

[Eve Maler of Oasis SAML  wrote:]
ACTION: Marlena to try and get the Shibboleth flow specification sent to
us.

Just a clarification: There is no "Shibboleth flow specification" at the
moment.There is however an English language description of the flows we
use.
  There is also a representation (again in English) of the "object" that
is used by a destination site to obtain an attribute assertion about the
user that contacted the destination. This object in concert with the
flows helps us solve the "indexical problem".
  The object is a structure that contains an opaque user handle
plus info about how to contact the attribute authority, plus some
info to prevent misuse of the object.  (More about this when
I send along the flows.)

    We (Shibboleth) came up with flows specifically because some of
us (including yours truly) believed that some of our messages might be
outside the scope of SAML.  And some of us felt really uncomfortable with
the indexical problem hanging over our heads.  (We didn't call it the
"indexical problem" however.  We didn't have a term --  we all just knew
what the problem was in the fairly-well-defined space of Shibboleth.)
   We didn't try to define an attribute query message because we wanted
to rely on SAML for that. That didn't seem like a big deal given that
we'd figured out the flows.  But, now that I'm looking at it harder,
we probably need our "object" (or something like it) put into the
attribute query message.

   I'm going to work with my Shibboleth colleagues** (the folks cc'd
above plus RL Bob Morgan who also participates in SAML) to create a
flow document that is readable by SAML folks, and to come up with what
we think we need in an attribute request message.


Regards,
Marlena

** There are lots of folks who participate in Shibboleth at various
levels.  The folks cc'd plus RL Bob and myself are the main designers
of the current architecture and flows.