Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] secure Shibboleth - Grouper integration

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] secure Shibboleth - Grouper integration

Chronological Thread 
  • From: Brendan Bellina <>
  • To: Grouper Dev <>
  • Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration
  • Date: Thu, 03 Sep 2009 11:40:53 -0700

One of the issues to bear in mind in either case though is that a person may be a member of groups that have nothing to do with the application and should possibly not be shared with the application. So you will need a way to restrict which values are returned. ARP's can do that but how you name your groups or populate your entitlements will have a bearing.

We populate both entitlement and the eduCourse attributes.


Brendan Bellina
Univ of Southern California

On Sep 3, 2009, at 8:49 AM, RL 'Bob' Morgan wrote:

I don't know, but I will ask our Shib people. Quick question though, does that make what Im talking about easier? :)
Do you know some of the pros cons?

No, doesn't make your job easier.

It probably doesn't make the access control job easier but I definitely think it can make the overall job easier. In my experience entitlements have to be created and supported one by one by IdP staff, including deciding on the value and mapping it to some way of determining membership. By contrast, the whole point of a groups service like Grouper is that creation and maintenance of groups can be delegated to the people who are close to them. So if groups have a standard expression as Shib attributes, a group can be defined and consumed by an app with no IdM-team involvement at all, which seems like a big win to me.

My implicit question was, "Is it worthwhile to try to get to a situation where there's a 'predominent community practice' on the attribute expected by both IdPs and SP/RPs to carry group membership information?" I imagine opinions vary.

I suppose they do. I think it's unfortunate that the entitlement notion has impeded us from what seems to be a clear win in having a standard group attribute practice.

- RL "Bob"

Archive powered by MHonArc 2.6.16.

Top of Page