Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] secure Shibboleth - Grouper integration

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] secure Shibboleth - Grouper integration

Chronological Thread 
  • From: "Michael A. Grady" <>
  • To: Grouper Dev <>
  • Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration
  • Date: Thu, 3 Sep 2009 20:04:11 -0500

It seems to me that this also raises some interesting questions about the *right* to release a group membership. If I create and maintain a group in which membership implies a person is a student, do I and the person running the IdP have the right to release that group membership without checking with the authoritative source for all things "student" -- the Registrar? Managing group memberships can delegate the management of who has what entitlement, but I don't see that it helps much with the management of the ARPs within the IdP -- that would still take explicitly deciding to release a specific value (or set of values) to a specific service, and getting any and all necessary approvals ahead of time.

Of course, the "easy solution" to that will be user consent for everything. :-)

On Sep 3, 2009, at 1:40 PM, Brendan Bellina wrote:

One of the issues to bear in mind in either case though is that a person may be a member of groups that have nothing to do with the application and should possibly not be shared with the application. So you will need a way to restrict which values are returned. ARP's can do that but how you name your groups or populate your entitlements will have a bearing.

We populate both entitlement and the eduCourse attributes.


Brendan Bellina
Univ of Southern California

On Sep 3, 2009, at 8:49 AM, RL 'Bob' Morgan wrote:

I don't know, but I will ask our Shib people. Quick question though, does that make what Im talking about easier? :)
Do you know some of the pros cons?

No, doesn't make your job easier.

It probably doesn't make the access control job easier but I definitely think it can make the overall job easier. In my experience entitlements have to be created and supported one by one by IdP staff, including deciding on the value and mapping it to some way of determining membership. By contrast, the whole point of a groups service like Grouper is that creation and maintenance of groups can be delegated to the people who are close to them. So if groups have a standard expression as Shib attributes, a group can be defined and consumed by an app with no IdM-team involvement at all, which seems like a big win to me.

My implicit question was, "Is it worthwhile to try to get to a situation where there's a 'predominent community practice' on the attribute expected by both IdPs and SP/RPs to carry group membership information?" I imagine opinions vary.

I suppose they do. I think it's unfortunate that the entitlement notion has impeded us from what seems to be a clear win in having a standard group attribute practice.

- RL "Bob"

Michael A. Grady
Executive Program Officer for Cyberinfrastructure
Office of the CIO, University of Illinois at Urbana-Champaign
2222 DCL, MC 256, 1304 W. Springfield Ave., Urbana, IL 61801
217.244.1253 phone, 217.244.4780 fax

Archive powered by MHonArc 2.6.16.

Top of Page