> -----Original Message----- > From: Tom Scavo [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2008 7:48 PM > To: Rachana Ananthakrishnan > Cc: Benjamin Henne; GT User > Subject: Re: [gt-user] authzChain combining algorithms in GT 4.2.1 > > On Tue, Dec 9, 2008 at 11:43 AM, Rachana Ananthakrishnan > <[EMAIL PROTECTED]> wrote: > > > > One way I can see this being used is if you configure > things as follows: > > > > - Gridmap PIP (not a PDP), which just obtains a mapping if > present and adds > > it to peer subject > > - VOMS PIP, which extracts mapping if present and adds it > to peer subject > > - Custom PDP, which looks for atleast one mapping in peer > subject and > > returns a permit or deny > > This is essentially what the new GridShibPDP does, but how does the > account mapper choose from potentially multiple mappings? First-come, > first-served is all I can think of.
Application level parameters can allow user to choose the mapping, and if the mapping exists post authorization, it is used. For example, WS-GRAM and RFT allow for user to pass a preferred local mapping as parameter. Rachana > > Tom
