Grouper Users - Open Discussion List

[Peter Schober <>]

* Martin van Es 
<>
 [2009-02-24 16:24]:
> After a successful authentication (eg Shibboleth) via some apache module, 
> the 
> only link to Grouper would be getRemoteUser(). This is a single valued 
> string 
> so I would have no knowledge about the institution that the user was 
> authenticated against, unless I come up with a way to concatenate the 
> user_id 
> and institution 
> (user_id@institution
>  eg) to prevent duplicates, assuming that 
> a user_id cannot contain a @ in this case.

As far as the identifiers are concerned: Shibboleth IdPs (or SAML
Attribute Authorities, for that matter) should release an identifier
that has a syntax and semantics to make it globally unique, possibly
even persistent. It's then the job of e.g. the Shibboleth SP (i.e. the
SAML relying party) to map one of those attibutes to REMOTE_USER
(e.g. eduPersonPrincipalName or eduPersonTargetedId).

Cheers,
-peter

-- 

 - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140