grouper-dev - secure Shibboleth - Grouper integration
Subject: Grouper Developers Forum
List archive
- From: Chris Hyzer <>
- To: "" <>
- Subject: secure Shibboleth - Grouper integration
- Date: Wed, 2 Sep 2009 00:35:37 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
Hey,
Maybe this is a topic for a shib list, but I am just curious if anyone on
this list knows the answer.
We have talked about securely exposing membership information from Shib IdP
to SP, and I am wondering if it is possible to do this dynamically...
Ie. at some point in the Shib workflow, have a (custom?) plugin run a query
against a Grouper SQL interface (since our LDAP/WS cant do this) which says:
select group_name from shib_groups_v where sp_id = ? and person_logging_in_id
= ?
Then have the sp_id and person_logging_in_id (login id) dynamically bound,
and the groups returned. The view would see which groups the SP subject_id
is a READER or ADMIN of the group, and the person_logging_in_id is a member
of the group.
So in order for someone on campus to expose group information to their SP,
they just add their SP service principal subject as a reader to the group,
and dynamically it will work securely (no other SP's will see that group
membership unless authorized, and no extra configuration is needed at the
IdP). This is for an eduperson entitlement.
Anyways, is this possible/desirable in shibboleth? If so can someone tell me
how to accomplish this? Am I on the wrong list?
Thanks,
Chris
Ps. I read Shilen's post, and I think he was saying configuration is needed
at the IdP. Is that correct?
https://wiki.internet2.edu/confluence/display/GrouperWG/Exposing+Groups+Through+Shibboleth
Pps. I also saw this thread, and it also didn't seem to answer my question,
it seemed like you first get all, then filter that list for the SP. It also
seemed like it was against this type of approach. :)
http://groups.google.com/group/shibboleth-users/browse_thread/thread/3b293432912f5c49
- secure Shibboleth - Grouper integration, Chris Hyzer, 09/02/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Peter Schober, 09/02/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Keith Hazelton, 09/02/2009
- Message not available
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Keith Hazelton, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, RL 'Bob' Morgan, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/03/2009
- RE: [grouper-dev] secure Shibboleth - Grouper integration, Chris Hyzer, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/04/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/04/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, RL 'Bob' Morgan, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Keith Hazelton, 09/03/2009
- Message not available
Archive powered by MHonArc 2.6.16.