In OpenID Connect, the authorization server maintains the list of available attributes and their location. <br>After user authorization, the relying party would be able to obtain the location (endpoint) and the access token to be used on the endpoint. <br>
The assurance level of the attribute source is another issue. It needs to be dealt with some kind of trust framework. <br><br>Nat<br><br>On Saturday, January 7, 2012, Gerald Beuchelt &lt;<a href="mailto:work@beuchelt.com">work@beuchelt.com</a>&gt; wrote:<br>
&gt; Mauro - <br>&gt; As far as I can see there are two principal approaches: <br>&gt; 1. An authoritative attribute provider is determined by policy, i.e. an authority within the group of operators defines who is authoritative. This will - most likely - have to be decided and configured upfront. <br>
&gt; 2. The relying party makes their own determination, based on its needs and policies. In this scenario, the RP has more flexibility to determine authoritativeness at runtime. <br>&gt; So, in general, the problem is really a managerial problem, and not a technical one. However, meta data may help in making decisions at runtime. <br>
&gt; Best, <br>&gt; Gerald<br>&gt;<br>&gt; On Jan 6, 2012, at 18:50 , Colin Wallis wrote:<br>&gt;<br>&gt; Hi Mauro<br>&gt;  <br>&gt; It is a good question and one which along with many others, the Kantara Attribute Management Discussion Group has within its scope.<br>
&gt;  <br>&gt; The general feeling is that &#39;responsibility&#39; as you mention below, will be published/consumed via meta data.<br>&gt;  <br>&gt; But we need to determine what that actual attribute will be - whether we create one or re-use one (say from a SAML 2.0 profile).<br>
&gt;  <br>&gt; Cheers<br>&gt; Colin<br>&gt;<br>&gt;  <br>&gt;&gt; Date: Tue, 3 Jan 2012 19:43:50 +0100<br>&gt;&gt; From: <a href="mailto:s172556@studenti.polito.it">s172556@studenti.polito.it</a><br>&gt;&gt; To: <a href="mailto:community@kantarainitiative.org">community@kantarainitiative.org</a><br>
&gt;&gt; Subject: [Kantara - Community] Attributes from multiple APs<br>&gt;&gt; <br>&gt;&gt; Hello everyone,<br>&gt;&gt; <br>&gt;&gt; I am starting a thesis work on attributes management and aggregation in<br>&gt;&gt; a federated identity environment and I am trying to figure out how to<br>
&gt;&gt; address attributes resolution in a scenario where there are multiple<br>&gt;&gt; Attribute Providers.<br>&gt;&gt; The main issue is: how does a relying party know which AP is responsible<br>&gt;&gt; for a given attribute?<br>
&gt;&gt; As I am doing a research, I would like to know if in Kantara this<br>&gt;&gt; problem has been faced and, if so, how you have solved it.<br>&gt;&gt; <br>&gt;&gt; Thank you for your time and consideration.<br>&gt;&gt; <br>
&gt;&gt; Best Regards,<br>&gt;&gt; <br>&gt;&gt; Mauro<br>&gt;&gt; <br>&gt;&gt; -- <br>&gt;&gt; Mauro L<br>&gt;&gt; Polytechnic University of Turin<br>&gt;&gt; _______________________________________________<br>&gt;&gt; Community mailing list<br>
&gt;&gt; <a href="mailto:Community@kantarainitiative.org">Community@kantarainitiative.org</a><br>&gt;&gt; <a href="http://kantarainitiative.org/mailman/listinfo/community">http://kantarainitiative.org/mailman/listinfo/community</a><br>
&gt; _______________________________________________<br>&gt; Community mailing list<br>&gt; <a href="mailto:Community@kantarainitiative.org">Community@kantarainitiative.org</a><br>&gt; <a href="http://kantarainitiative.org/mailman/listinfo/community">http://kantarainitiative.org/mailman/listinfo/community</a><br>
&gt;<br>&gt;<br><br>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>