Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] secure Shibboleth - Grouper integration

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] secure Shibboleth - Grouper integration


Chronological Thread 
  • From:
  • To: Grouper Dev <>
  • Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration
  • Date: Fri, 4 Sep 2009 10:33:48 -0400

At 8:04 PM -0500 9/3/09, Michael A. Grady wrote:
It seems to me that this also raises some interesting questions about the *right* to release a group membership. If I create and maintain a group in which membership implies a person is a student, do I and the person running the IdP have the right to release that group membership without checking with the authoritative source for all things "student" -- the Registrar? Managing group memberships can delegate the management of who has what entitlement, but I don't see that it helps much with the management of the ARPs within the IdP -- that would still take explicitly deciding to release a specific value (or set of values) to a specific service, and getting any and all necessary approvals ahead of time.

Of course, the "easy solution" to that will be user consent for everything. :-)


Here at Brown, we're moving forward with installing the SWITCH developed uApprove IdP plugin:

http://www.switch.ch/aai/support/tools/uApprove.html

Combined with a new Resolver plugin available in the brand new IdP release, sites could configure a set of attributes that would essentially be managed for release by each user. I was imagining that 1) we'd have a conversation with the Registrar about this functionality and get their "global blessing" for allowing every student to manage the release of some of their attributes, and 2) allow students to manage the release of attributes such as Affiliation.

Note that several months back I asked on the ICPL list whether uApprove was "FERPA compatible", and two people whom I consider to be FERPA experts responded positively. Even if a student has opt-ed out under FERPA, clicking APPROVE to uApprove is sufficient for FERPA related approval.

Given the use cases people are exploring related to the release of Group Membership information... what role, if any, do you see uApprove possibly playing ?



Archive powered by MHonArc 2.6.16.

Top of Page