Skip to Content.
Sympa Menu

grouper-dev - RE: [grouper-dev] external members with targeted id

Subject: Grouper Developers Forum

List archive

RE: [grouper-dev] external members with targeted id

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Jim Fox <>, Grouper Dev <>, Keith Hazelton <>
  • Subject: RE: [grouper-dev] external members with targeted id
  • Date: Thu, 4 Nov 2010 00:09:11 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US

Ok, im thinking more about this:


1.       Invite goes to email address of external person, email has link with UUID in it

2.       Person goes to registration page hosted at Grouper UI (SP #1)

3.       Grouper associates the email address, targeted ID based on the UUID in link in email

4.       Grouper assigns that user to groups specified by inviter

5.       Person goes to application (SP #2), application looks up permissions based on targeted id

6.       Unless the IdP sent the same targeted ID, then it wont work…

I was hoping that targeted ID could be a way to include external users with no IdP configuration, but now I am not seeing how it would work since there at least two SPs involved, even for one application.  For a locked down attribute release policy, either the IdP needs to release eppn, or link the SPs of an external institution to the same targeted ID… hmm



3.       The person enters perhaps some personal information into the registration page so that they can be contacted, found in pickers,perhaps email if the application requires it.  They are assigned to the groups that the inviter wanted

> How would that assignment happen?  Where's the connection between ePTID and invitation?


The invitation has a UUID in it, same with link back to registration page


Ø  The discussion comes up at UW as to what "no restrictions" means when applied to readership of a group, although it sounds awfully obvious to me.   There is some confusion as to whether the world in "world read" means the local outfit or something like 'world'.


Good point.  Well, world read is constrained by who can log in to the application… i.e. would the external person be able to log in to the Grouper WS?  The admin portion of the UI?  Etc?  Each has its own ACLs, so even if world readable, it is limited to people who can use the application exposing it…  if you let externals SSO to WS or manage groups with the admin UI then they would be able to read GrouperAll readable groups.





Archive powered by MHonArc 2.6.16.

Top of Page