Frequently Asked Questions on Autograph

What is the basic functionality of Autograph?

Members of the Identity Provider can configure Service Provider specific idCards. The attributes on this idCards will be send to the Service Provider.
It is also possible for members to change values of attributes which were configured as writeable by the Idp admin.

What conditions have to be fullfilled in order to install and run Autograph?

A Shibboleth Identity Provider has to be properly integrated in a Federation. Autograph is tested with 'shib-java Rel_1_3_FINAL_C'.

What changes have to be made to the Service Provider installation to include Autograph in the Single Sign On profile?

The only change is done in the application describtion file (web.xml). A servlet mapping is added so that a AutographRedirectionSwitch servlet is interconnected between the ./shibboleth-idp/SSO URL and the IdPResponder servlet. When a http request hits ./shibboleth-idp/SSO the AutographRedirectionSwitch decides if a redirect to Autograph should be made or if the request should be passed to the IdPResponder. (web.xml with changes) (more)

How can I as an IdP admin make sure an IdP member doesn't see sensitive attributes?

For the sake of transparency in the Federation it would be favourable if there are only attributes released which the user is allowed to see. However, by not defining attributes in Autograph's AttributeInfoPoint configuration file it is not existent for Autograph. Therefore IdP members will never see it and its release status defined in the site Attribute Release Policy (ARP) will never be changed in a user ARP.

-- MoritzTheile - 09 Mar 2006
to top