> >> Control question for Sam and Scott: is it possible (and > >> reasonably easy) to do SP-centric attribute aggregation for > >> abfab, by which I mean having the SP issue additional attribute > >> queries to IdPs within the AAA-centric trust model proposed by > >> Sam and Josh? > > Josh> Yes, possible and easy (assuming, obviously, we can assume > Josh> that the SPs and IdP have a common identifier for the > Josh> subject). > > Josh, I suspect you are right, but the details are not clear to me.
Nor me in truth; I suspect that I am about to discover it was inadvisable of me to claim 'easy' :-) > How does the SP address the request to a particular AA? The model that I have in mind is that we specify a set of standard endpoint locator names for different type of Issuer roles. These can be used, in conjunction with the NAI realm of the Issuer, to construct a complete NAI. e.g. say we specify the "saml-20-aa" name to mean a SAML 2.0 attribute authority. An SP wanting to route a message to this actor to example.com prefixes the realm of the intended Issuer with this, thus "saml-20-aa.example.com". The AAA SAML attribute within this request message contains a SAML Request message containing the identifier for the subject. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
