[wsf-dev] ID-WSF newbie questions

[Scott Cantor]

> 1.
> 	How does the CompanyA CRM get hold of my Discovery Service? Does it
> capture this information when I federate my accounts, and then use either
> the NameID mapping service or SSOS service of my IdP to get the
appropriate
> tokens for my discovery service when it needs to as the DS?

I believe the People Service includes such use cases, or there are ways to
"subscribe" to that user's DS to get updates when it moves.

Yes, you would typically discover the other user's PP with their DS but use
your SSOS to get a token for it.
 
> 	2.
> 		The principal representing the CRM user. Perhaps the
Personal
> Profile can use SAML attributes in the RequestingPrincipal's assertion to
> determine whether to grant access. However, this would make the policy
> enforcement at the Personal Profile service fairly complex - it would need
> to know what attribute statements to expect, and these could possibly be
> different between different IdPs.

Yes, that's just the reality of attribute-based authz. The policy required
should determine what you do, not the ease of implementing it. Otherwise it
wasn't the necessary policy to begin with. Policy is what you do, not what
you say you should do.

> Question 2 is more conceptual than technical, but it would be interesting
to
> get your thoughts.

I think you've got a pretty good handle on it.

-- Scott