Assurance

["Dunker, Mary" <>]

So far, my institution has been looking at InCommon Silver from the IdP side. 
After thinking about  Eric's situation, I wonder if we need some more 
guidelines for SPs that are going to require/request Silver from the IdP.

Mary 


-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327

 
--------------------------------------------------------------------


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Eric Goodman
Sent: Tuesday, January 24, 2012 3:38 PM
To: 

Subject: Re: [Assurance] Assurance and system monitoring

On Tue, Jan 24, 2012 at 12:08 PM, RL 'Bob' Morgan 
<>
 wrote:

        Your IdP could actively try to prevent this by limiting the SPs this 
account could go to.  I don't think Shib can do this out of the box, though.


Well, if I'm forced to, I could see creating a special InCommonSilver IAQ 
attribute in Shib (say as a static attribute), with a filter to release the 
value only if either user has an InCommon Silver IAQ or if the user's ePPN 
matches the ePPN of one of the test accounts. That would mean having 
attribute release policies that are specific to accounts, which I don't like 
as it seems like a nightmare to manage, but I do think this can be 
accomplished technically with Shibboleth. 

I'd still rather say no, though. :)

Thank you for the rest of the feedback as well.

--- Eric