Subject Re: affiliate student?
From "David L. Wasley" <dlwasley@xxxxxxxxxxxxx>
Date Mon, 12 Jul 2010 18:12:50 -0700

Exactly. The IdP knows what the eligibility rules are for the SP/RP that is asking. That's inherent in the contractual relationship.

At the time the Subject goes to the SP/RP, the IdP can "calculate" (do the algebra) to determine if that Subject is eligible under the terms of the contract. The IdP doesn't need to store the eligibility as long as it can be determined from basic attributes. (But what are the required attributes??)

The SP/RP must trust the IdP to do this legitimately (i.e., not cheat) but then a lot of this model is based on trust in various ways. The real question is "what is the risk if trust is misplaced?"

At 2:06 AM +0200 on 7/13/10, Diego R. Lopez wrote:

On 13 Jul 2010, at 01:15, Milan Sova wrote:

On 13.7.2010 00:43, Diego R. Lopez wrote:

In a discussion with some representatives of resource providers (alas,
not publishers) they asked us the
federation guys whether we could provide a simple attribute stating "I,
institution X, will pay for
this user access to this resource at this time". Some kind of
authorization-in-advance, that is a model
that I think it is worth exploring as well...

	Isn't this what the ePEntitlement is good for?

If ePE is dynamically generated, yes. That possibility of dynamically producing specialized values for ePE (or other attribute) is the part I think it is interesting to consider.

"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez - RedIRIS
The Spanish NREN

e-mail: diego.lopez@xxxxxxxxxx
jid:        diego.lopez@xxxxxxxxxx
Tel:    +34 955 056 621
Mobile: +34 669 898 094