InCommon Library Services

[Tom Barton <>]

Rich Wenger wrote:
>  wrote:
> > Could a custom dataconnector in the IdP retrieve this info from the 
> > ROLES DB, and then send it along as an attribute?
> >
> > I believe the IdP (perhaps only the version in subversion, and about 
> > to be released?) contains a SOAP client.
> It is an interesting policy question whether or not this sort of 
> provisioning belongs with the IdP.  I have my
> doubts, but am interested in hearing other views.  It blurs the 
> distinction between authentication and authorization,
> a distinction that many IT departments have established with 
> considerable effort.

An authentication-only service essentially provides the relying service 
with one user attribute: their username (or other subject name). An IdP 
can also supply additional user attributes, if so configured (the 
authenticated subject's username is rwenger, and the subject has the 
following roles: ...).

This approach leaves the authorization decision with the relying 
service, but it does provide an alternative to the status quo for how 
the relying service will gather the info it needs in order to make its 
authorization decision.

Tom