Interfederation

[Scott Koranda <>]

Hi,

On Sat, Jun 8, 2013 at 12:09 PM, Cantor, Scott 
<>
 wrote:
> On 6/8/13 5:45 AM, "Scott Koranda" 
> <>
>  wrote:
>>
>>It has been an issue to some extent. Cardiff is only releasing an
>>opaque ePPN instead of an ePPN that identifies the user.
>
> EPPN doesn't require non-opacity, though.

I understand.

I am looking for a shortcut to bridge until I have the
application-side work done and COmanage in place doing everything I
need it to do.

> We don't have any actual
> identifiers that do, including (though far less likely) email addresses.
>
>>I have plans to "fix" this problem using COmanage to enroll the user,
>>consume proper identifiers self-asserted by the users, map them to the
>>opaque ePPN, and then make them available from a SAML attribute
>>authority. That work is ongoing.
>
> That seems like it opens you up to the problem of users socially spoofing
> other users. Perhaps you have a closed community and it's not a concern.
>

The enrollment flows we will use require approval and a verification
process that will prevent spoofing.

We have the ability to tightly bind what an IdP asserts about a user
to what our collaboration knows about a user.

Thanks,

Scott K