Subject Re: affiliate student?
From "Diego R. Lopez" <diego.lopez@xxxxxxxxxx>
Date Tue, 13 Jul 2010 00:43:11 +0200

On 9 Jul 2010, at 19:20, David L. Wasley wrote:
Having said that, I have a different but related concern: how to best deal with denial of access when the rules become more fine grained. This is the help desk problem. It could be mitigated at the time of denial if some explanation could be offered but which party is better suited to do that: the IdP or the SP/RP?

If 'entitlement' is used then all the SP/RP could say is "You are not entitled." However, the IdP could say "This resource is available only to ____ or _____."

On the other hand, if attributes are given to the SP/RP and it does the algebra, then it would have to provide the explanation to the denied user.

As an institution supporting a community of users, I would prefer to implement the former since it would allow for better treatment of the frustrated user.

In a discussion with some representatives of resource providers (alas, not publishers) they asked us the federation guys whether we could provide a simple attribute stating "I, institution X, will pay for this user access to this resource at this time". Some kind of authorization-in-advance, that is a model
that I think it is worth exploring as well...

Be goode,

"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez - RedIRIS
The Spanish NREN

e-mail: diego.lopez@xxxxxxxxxx
jid:        diego.lopez@xxxxxxxxxx
Tel:    +34 955 056 621
Mobile: +34 669 898 094