Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] secure Shibboleth - Grouper integration

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] secure Shibboleth - Grouper integration

Chronological Thread 
  • From: Brendan Bellina <>
  • To: Grouper Dev <>
  • Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration
  • Date: Fri, 04 Sep 2009 10:04:55 -0700

One possible issue that comes to mind regarding uApprove is that the attributes and even values shown by uApprove may not mean very much to the user. For example, our group dn's and entitlements as well are based on opaque identifiers. So showing a user a list of isMemberOf values or ePAs and asking them to approve which ones can be released to an SP isn't really going to be very helpful. uApprove would need to query for additional information about the groups and display that information in its interface or we would need to provide some kind of mapping document and expect the user to take the time to look them up before responding, and that isn't likely. It isn't as simple as releasing a phone number or an email address, for which little or no explanation would be required.



On Sep 4, 2009, at 7:33 AM,


At 8:04 PM -0500 9/3/09, Michael A. Grady wrote:
It seems to me that this also raises some interesting questions about the *right* to release a group membership. If I create and maintain a group in which membership implies a person is a student, do I and the person running the IdP have the right to release that group membership without checking with the authoritative source for all things "student" -- the Registrar? Managing group memberships can delegate the management of who has what entitlement, but I don't see that it helps much with the management of the ARPs within the IdP -- that would still take explicitly deciding to release a specific value (or set of values) to a specific service, and getting any and all necessary approvals ahead of time.

Of course, the "easy solution" to that will be user consent for everything. :-)

Here at Brown, we're moving forward with installing the SWITCH developed uApprove IdP plugin:

Combined with a new Resolver plugin available in the brand new IdP release, sites could configure a set of attributes that would essentially be managed for release by each user. I was imagining that 1) we'd have a conversation with the Registrar about this functionality and get their "global blessing" for allowing every student to manage the release of some of their attributes, and 2) allow students to manage the release of attributes such as Affiliation.

Note that several months back I asked on the ICPL list whether uApprove was "FERPA compatible", and two people whom I consider to be FERPA experts responded positively. Even if a student has opt-ed out under FERPA, clicking APPROVE to uApprove is sufficient for FERPA related approval.

Given the use cases people are exploring related to the release of Group Membership information... what role, if any, do you see uApprove possibly playing ?

Archive powered by MHonArc 2.6.16.

Top of Page