grouper-dev - Re: [grouper-dev] secure Shibboleth - Grouper integration
Subject: Grouper Developers Forum
List archive
- From: Keith Hazelton <>
- To: Chris Hyzer <>
- Cc: "" <>
- Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration
- Date: Wed, 02 Sep 2009 12:44:41 -0500
Chris:
Another issue: Have you considered and rejected the idea of expressing group memberships via the "isMemberOf" attribute rather than via ePEntitlement?
Basic edu* spec for groups:
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap- group-membership-200507.html
Shib details:
https://wiki.internet2.edu/confluence/display/GrouperWG/Exposing +Groups+Through+Shibboleth
Regards, --Keith
____________________
On Sep 1, 2009, at 23:35, Chris Hyzer wrote:
Hey,
Maybe this is a topic for a shib list, but I am just curious if anyone on this list knows the answer.
We have talked about securely exposing membership information from Shib IdP to SP, and I am wondering if it is possible to do this dynamically...
Ie. at some point in the Shib workflow, have a (custom?) plugin run a query against a Grouper SQL interface (since our LDAP/WS cant do this) which says:
select group_name from shib_groups_v where sp_id = ? and person_logging_in_id = ?
Then have the sp_id and person_logging_in_id (login id) dynamically bound, and the groups returned. The view would see which groups the SP subject_id is a READER or ADMIN of the group, and the person_logging_in_id is a member of the group.
So in order for someone on campus to expose group information to their SP, they just add their SP service principal subject as a reader to the group, and dynamically it will work securely (no other SP's will see that group membership unless authorized, and no extra configuration is needed at the IdP). This is for an eduperson entitlement.
Anyways, is this possible/desirable in shibboleth? If so can someone tell me how to accomplish this? Am I on the wrong list?
Thanks,
Chris
Ps. I read Shilen's post, and I think he was saying configuration is needed at the IdP. Is that correct?
https://wiki.internet2.edu/confluence/display/GrouperWG/Exposing +Groups+Through+Shibboleth
Pps. I also saw this thread, and it also didn't seem to answer my question, it seemed like you first get all, then filter that list for the SP. It also seemed like it was against this type of approach. :)
http://groups.google.com/group/shibboleth-users/browse_thread/ thread/3b293432912f5c49
- secure Shibboleth - Grouper integration, Chris Hyzer, 09/02/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Peter Schober, 09/02/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Keith Hazelton, 09/02/2009
- Message not available
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Keith Hazelton, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, RL 'Bob' Morgan, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/03/2009
- RE: [grouper-dev] secure Shibboleth - Grouper integration, Chris Hyzer, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/04/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/04/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Peter Schober, 09/04/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/04/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Michael A. Grady, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Brendan Bellina, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, RL 'Bob' Morgan, 09/03/2009
- Re: [grouper-dev] secure Shibboleth - Grouper integration, Keith Hazelton, 09/03/2009
- Message not available
Archive powered by MHonArc 2.6.16.