-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(no chair hat on for this)
> In practice, I don't think IdP-side aggregation works all that well and the
> most common SAML profiles basically preclude it unless the IdP reissues the
> data itself, so I tend to focus on doing it at the SP. But then I write SPs,
> so that's a bias. I think when we do things like re-issue data at the IdP
> end, there's not usually any kind of indicator to the SP that this was done,
> because the whole point is often to hide it.
>
There is a bit of operational experience from so call hub-and-spoke
federations to support this. In the federation operators community
we've seen example of, ahem, inventiveness at the SAML layer to
work around problems introduced by IdP aggregation.
Control question for Sam and Scott: is it possible (and reasonably
easy) to do SP-centric attribute aggregation for abfab, by which I
mean having the SP issue additional attribute queries to IdPs within
the AAA-centric trust model proposed by Sam and Josh?
Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk00BtwACgkQ8Jx8FtbMZneYyACfVxN0Ow+wa9hsKRgkyEMCIZuR
jusAoK8vAU+dkPQEAImU8/kZvPvv10W0
=pDQv
-----END PGP SIGNATURE-----
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
