Grouper Developers Forum

[Chris Hyzer <>]

Hey,

Maybe this is a topic for a shib list, but I am just curious if anyone on 
this list knows the answer.

We have talked about securely exposing membership information from Shib IdP 
to SP, and I am wondering if it is possible to do this dynamically...

Ie. at some point in the Shib workflow, have a (custom?) plugin run a query 
against a Grouper SQL interface (since our LDAP/WS cant do this) which says:

select group_name from shib_groups_v where sp_id = ? and person_logging_in_id 
= ?

Then have the sp_id and person_logging_in_id (login id) dynamically bound, 
and the groups returned.  The view would see which groups the SP subject_id 
is a READER or ADMIN of the group, and the person_logging_in_id is a member 
of the group.

So in order for someone on campus to expose group information to their SP, 
they just add their SP service principal subject as a reader to the group, 
and dynamically it will work securely (no other SP's will see that group 
membership unless authorized, and no extra configuration is needed at the 
IdP).  This is for an eduperson entitlement.

Anyways, is this possible/desirable in shibboleth?  If so can someone tell me 
how to accomplish this?  Am I on the wrong list?

Thanks,
Chris

Ps. I read Shilen's post, and I think he was saying configuration is needed 
at the IdP.  Is that correct?

https://wiki.internet2.edu/confluence/display/GrouperWG/Exposing+Groups+Through+Shibboleth

Pps. I also saw this thread, and it also didn't seem to answer my question, 
it seemed like you first get all, then filter that list for the SP.  It also 
seemed like it was against this type of approach.  :)

http://groups.google.com/group/shibboleth-users/browse_thread/thread/3b293432912f5c49