Grouper Developers Forum

[Chris Hyzer <>]

Hey,

 

Keith had mentioned supporting external members with targeted ID a while back, and I didnt really understand how that would work (Im not a shib person).

But I talked with Brendan last night, and he explained it to me again, and now I think that is something that should be on our radar.  I think it would work with my plan for external people.

 

1.       Someone invites someone by email, with the provisioning of groups on registration

2.       That person signs in to the registration page and the targeted ID goes to Grouper

3.       The person enters perhaps some personal information into the registration page so that they can be contacted, found in pickers, perhaps email if the application requires it.  They are assigned to the groups that the inviter wanted

 

Some issues:

 

Pros of eppn

-          That is something that is not user entered non-vetted, secure to use that to assign user to groups

 

Cons of eppn

-          If the user’s IdP does not release this by default, the user will need to work with their IdP maintainer to release that to the Grouper and application SP’s (uapprove could help once it is widely deployed)

-          If eppn changes for a person, then they lose their rights until they get re-added by the application owner, or edited by the Grouper admin

 

Pros of targeted ID

-          User might not need to talk to their IdP maintainers

-          Personal information is not sent to the SP

 

Cons of targeted ID

-          If multiple SP’s at one institution need to have the same external user in their systems (in one Grouper), then the external user’s IDP could be configured to send the same targeted ID to the multiple SPs, or the user could have multiple accounts in Grouper

-          All of the user readable attributes in grouper are entered by the user (non vetted), so once the user is in Grouper, and someone wants to put them in other groups, it seems like it would be difficult to trust finding and assigning the person without another email invite loop…

-          Some changes in setup (if the IdP or SP change in certain ways) could change the targeted Id.  That could be confusing to map the old one to the new one for the Grouper administrator…

 

Discussion?  Other considerations?

 

Bottom line is, I think Grouper would do either in 2.0, so we can wait for a use case and see how it goes… J

 

Thanks,

Chris