In OpenID Connect, the authorization server maintains the list of available attributes and their location.
After user authorization, the relying party would be able to obtain the location (endpoint) and the access token to be used on the endpoint.
The assurance level of the attribute source is another issue. It needs to be dealt with some kind of trust framework.
Nat
On Saturday, January 7, 2012, Gerald Beuchelt <work@beuchelt.com> wrote:
> Mauro -
> As far as I can see there are two principal approaches:
> 1. An authoritative attribute provider is determined by policy, i.e. an authority within the group of operators defines who is authoritative. This will - most likely - have to be decided and configured upfront.
> 2. The relying party makes their own determination, based on its needs and policies. In this scenario, the RP has more flexibility to determine authoritativeness at runtime.
> So, in general, the problem is really a managerial problem, and not a technical one. However, meta data may help in making decisions at runtime.
> Best,
> Gerald
>
> On Jan 6, 2012, at 18:50 , Colin Wallis wrote:
>
> Hi Mauro
>
> It is a good question and one which along with many others, the Kantara Attribute Management Discussion Group has within its scope.
>
> The general feeling is that 'responsibility' as you mention below, will be published/consumed via meta data.
>
> But we need to determine what that actual attribute will be - whether we create one or re-use one (say from a SAML 2.0 profile).
>
> Cheers
> Colin
>
>
>> Date: Tue, 3 Jan 2012 19:43:50 +0100
>> From: s172556@studenti.polito.it
>> To: community@kantarainitiative.org
>> Subject: [Kantara - Community] Attributes from multiple APs
>>
>> Hello everyone,
>>
>> I am starting a thesis work on attributes management and aggregation in
>> a federated identity environment and I am trying to figure out how to
>> address attributes resolution in a scenario where there are multiple
>> Attribute Providers.
>> The main issue is: how does a relying party know which AP is responsible
>> for a given attribute?
>> As I am doing a research, I would like to know if in Kantara this
>> problem has been faced and, if so, how you have solved it.
>>
>> Thank you for your time and consideration.
>>
>> Best Regards,
>>
>> Mauro
>>
>> --
>> Mauro L
>> Polytechnic University of Turin
>> _______________________________________________
>> Community mailing list
>> Community@kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/community
> _______________________________________________
> Community mailing list
> Community@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/community
>
>
--
Nat Sakimura (=nat)