Thank you. After a quick review of your docs, my sense is that Abfab could make
sense in your scenarios.
If I have understood you correctly, I think you are suggesting refactoring
Schaad-eps-trust such that it can use alternative bindings: WS-Trust or AAA.
I'm still undecided whether we are best served using a general purpose AAA-XML
attribute, or domain-specific AAA-SAML and AAA-PLASMA attributes. They both
share certain requirements of the AAA layer.
The consideration that weighs most in my mind is the implementation
implications of a general purpose XML attributes. We definitely don't want to
require AAA proxies to parse the attribute's XML blob to determine the next hop.
However, there's a similar issue in the AAA-SAML case where AAA proxies need to
disambiguate between different types of SAML Issuers. I have suggested (see
attached) using standard function-specific identifiers in the AAA Network
Access Identifier. So, PLASMA could perhaps also define an identifier(s) that
provide the necessary routing cue(s).
Josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
--- Begin Message ---
> >> Control question for Sam and Scott: is it possible (and
> >> reasonably easy) to do SP-centric attribute aggregation for
> >> abfab, by which I mean having the SP issue additional attribute
> >> queries to IdPs within the AAA-centric trust model proposed by
> >> Sam and Josh?
>
> Josh> Yes, possible and easy (assuming, obviously, we can assume
> Josh> that the SPs and IdP have a common identifier for the
> Josh> subject).
>
> Josh, I suspect you are right, but the details are not clear to me.
Nor me in truth; I suspect that I am about to discover it was inadvisable of me
to claim 'easy' :-)
> How does the SP address the request to a particular AA?
The model that I have in mind is that we specify a set of standard endpoint
locator names for different type of Issuer roles. These can be used, in
conjunction with the NAI realm of the Issuer, to construct a complete NAI.
e.g. say we specify the "saml-20-aa" name to mean a SAML 2.0 attribute
authority. An SP wanting to route a message to this actor to example.com
prefixes the realm of the intended Issuer with this, thus
"saml-20-aa.example.com". The AAA SAML attribute within this request message
contains a SAML Request message containing the identifier for the subject.
Josh.
--- End Message ---
_______________________________________________
plasma mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/plasma
