Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] secure Shibboleth - Grouper integration

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] secure Shibboleth - Grouper integration

Chronological Thread 
  • From: Brendan Bellina <>
  • To: Chris Hyzer <>
  • Cc: "Michael A. Grady" <>, Grouper Dev <>
  • Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration
  • Date: Fri, 04 Sep 2009 10:18:11 -0700

I'm missing how what you are proposing accomplishes the requirement "expose their group information to their own SP." It sounds like all "Shib" group memberships (which means any group needed by any SP) will be released to all SPs. That doesn't sound very secure or privacy preserving.

When we release group memberships through Shib, which we will be doing shortly in support of Confluence, we will use ARPs to restrict which membership values are released. For LDAP enabled applications we do this through LDAP ACIs which restrict the service account the application uses to bind. I don't see how you can escape some degree of central administration.



On Sep 3, 2009, at 7:38 PM, Chris Hyzer wrote:

Thank you everyone for your interest in this discussion, and excuse my Shib ignorance.

Let me frame this topic a little better.

Again, we would like the IdP administrator not to have to make changes for each SP who needs a different group released (as attribute or entitlement), and we would like that group not to be released to all SP's, only the one(s) who need it.

I picture the people who would want to expose memberships are application developers/integrators, who are building applications, integrating with shib as an SP, and creating/admining some groups (used as roles) for the application. I had hoped they could expose their group information to their own SP, and it is safe and private.

But, since this doesn't seem convenient to do in Shib, we are going down a path that was criticized at the educause CAMP where group- admins in grouper can mark groups as shib-enabled or not. If shib- enabled, then all penn-internal SP's will see the membership. We will not have a way to mark a group as shib enabled for non-Penn SP's.

It just seems that with this, SP admins might decide that using Shib is easier that using shib and figuring out how to be a grouper ldap or web service client, and might make a group public when it shouldn't be (for convenience sake). Though our documentation will say that exposing groups in Shib is only for membership data which is not sensitive.

I had thought putting memberships in shib attributes/entitlements would make things easier for application developers, and could be done securely, and without central administrative work, but maybe they shouldn't be used the way I had hoped.

If anyone wants to discuss this offline at the member meeting in San Antonio, I would be interested.


-----Original Message-----
From: Michael A. Grady
Sent: Thursday, September 03, 2009 9:04 PM
To: Grouper Dev
Subject: Re: [grouper-dev] secure Shibboleth - Grouper integration

It seems to me that this also raises some interesting questions about
the *right* to release a group membership. If I create and maintain a
group in which membership implies a person is a student, do I and the
person running the IdP have the right to release that group
membership without checking with the authoritative source for all
things "student" -- the Registrar? Managing group memberships can
delegate the management of who has what entitlement, but I don't see
that it helps much with the management of the ARPs within the IdP --
that would still take explicitly deciding to release a specific value
(or set of values) to a specific service, and getting any and all
necessary approvals ahead of time.

Of course, the "easy solution" to that will be user consent for
everything. :-)

On Sep 3, 2009, at 1:40 PM, Brendan Bellina wrote:

One of the issues to bear in mind in either case though is that a
person may be a member of groups that have nothing to do with the
application and should possibly not be shared with the
application. So you will need a way to restrict which values are
returned. ARP's can do that but how you name your groups or
populate your entitlements will have a bearing.

We populate both entitlement and the eduCourse attributes.


Brendan Bellina
Univ of Southern California

On Sep 3, 2009, at 8:49 AM, RL 'Bob' Morgan wrote:

I don't know, but I will ask our Shib people. Quick question
though, does that make what Im talking about easier? :)
Do you know some of the pros cons?

No, doesn't make your job easier.

It probably doesn't make the access control job easier but I
definitely think it can make the overall job easier. In my
experience entitlements have to be created and supported one by
one by IdP staff, including deciding on the value and mapping it
to some way of determining membership. By contrast, the whole
point of a groups service like Grouper is that creation and
maintenance of groups can be delegated to the people who are close
to them. So if groups have a standard expression as Shib
attributes, a group can be defined and consumed by an app with no
IdM-team involvement at all, which seems like a big win to me.

My implicit question was, "Is it worthwhile to try to get to a
situation where there's a 'predominent community practice' on the
attribute expected by both IdPs and SP/RPs to carry group
membership information?" I imagine opinions vary.

I suppose they do. I think it's unfortunate that the entitlement
notion has impeded us from what seems to be a clear win in having
a standard group attribute practice.

- RL "Bob"

Michael A. Grady
Executive Program Officer for Cyberinfrastructure
Office of the CIO, University of Illinois at Urbana-Champaign
2222 DCL, MC 256, 1304 W. Springfield Ave., Urbana, IL 61801
217.244.1253 phone, 217.244.4780 fax

Archive powered by MHonArc 2.6.16.

Top of Page