Hi Tom Sorry but I have to disagree with you. Tom Scavo wrote:
In the final analysis, yes, but the Grid SP (taken as a whole) needs to know 1) what is the preferred IdP of the user,
Why does it need to know this? Surely the SP only needs to know which IdPs it trusts, but not which user is associated with which IdP. Only the user needs to know this and will choose it himself by WAYF or other means. and 2) what AA
endpoint to query. Before the CVS can determine the latter, the PEP must supply the former.
I agree with this (except that for small grids, the CVS can have a set of preconfigured AAs that it trusts. Actually even large grids can make do with this if there are a few globally trusted AAs. Consider Visa and Amex for instance. All the shopkeepers in the world only need to know these two or three AAs and no more for them to accept requests from the entire global population.) So I claim the unique identifier of the IdP
(entityID) must travel from the user to the PEP to the CVS.
I disagree. From the user to the PEP yes, since this will use it for authentication, but the CVS does not need to know this information. Then and
only then can the CVS determine the appropriate endpoint to query.
No, the message from the PEP can contain this information directly regards David
Tom
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************