Skip to Content.
Sympa Menu

grouper-dev - secure Shibboleth - Grouper integration

Subject: Grouper Developers Forum

List archive

secure Shibboleth - Grouper integration

Chronological Thread 
  • From: Chris Hyzer <>
  • To: "" <>
  • Subject: secure Shibboleth - Grouper integration
  • Date: Wed, 2 Sep 2009 00:35:37 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US


Maybe this is a topic for a shib list, but I am just curious if anyone on
this list knows the answer.

We have talked about securely exposing membership information from Shib IdP
to SP, and I am wondering if it is possible to do this dynamically...

Ie. at some point in the Shib workflow, have a (custom?) plugin run a query
against a Grouper SQL interface (since our LDAP/WS cant do this) which says:

select group_name from shib_groups_v where sp_id = ? and person_logging_in_id
= ?

Then have the sp_id and person_logging_in_id (login id) dynamically bound,
and the groups returned. The view would see which groups the SP subject_id
is a READER or ADMIN of the group, and the person_logging_in_id is a member
of the group.

So in order for someone on campus to expose group information to their SP,
they just add their SP service principal subject as a reader to the group,
and dynamically it will work securely (no other SP's will see that group
membership unless authorized, and no extra configuration is needed at the
IdP). This is for an eduperson entitlement.

Anyways, is this possible/desirable in shibboleth? If so can someone tell me
how to accomplish this? Am I on the wrong list?


Ps. I read Shilen's post, and I think he was saying configuration is needed
at the IdP. Is that correct?

Pps. I also saw this thread, and it also didn't seem to answer my question,
it seemed like you first get all, then filter that list for the SP. It also
seemed like it was against this type of approach. :)

Archive powered by MHonArc 2.6.16.

Top of Page