Subject: Grouper Users - Open Discussion List
- From: "RL 'Bob' Morgan" <>
- To: Martin van Es <>
- Cc: Grouper Users Mailing List <>, Hans Zandbelt <>
- Subject: Re: [grouper-users] Grouper and federative login
- Date: Tue, 24 Feb 2009 09:59:54 -0800 (PST)
Anybody any experience using Grouper in a Shibbolized (or other federatative protocol) environment that could comment on this?
As Peter says, SAML per se is neutral about what sort of thing, if any, is sent by IdPs and interpreted by SPs as the traditional "username". This is because SAML originally was driven by products used in bilateral corporate deployments where they just made something up for the purpose. Those of us promoting federations (http://wiki.rediris.es/tf-emc2/index.php/Federations) have dealt with issues like creating a common multi-institution username space at the federation level. Eg the US InCommon federation manages "scopes" as used in eduPerson-defined scoped attributes, primarily eduPersonPrincipalName and eduPersonTargetedId, so that each IdP has a defined set of scopes it can assert (usually just one, eg "washington.edu" for the University of Washington IdP, so my EPPN is ""). I think other federations have done this also, or something like it. If you're not operating in a federation context then things are wide open.
I heard about one Grouper deployment that created a custom Subject adapter
that presents the currently authenticated user as a Subject, which might be the kind of thing you're looking for.
As Chris implies, you need to clarify what you're looking for from federated access. If it's just a few well-defined federated users, then something static may be OK.
At UW our Grouper-like group-management UI permits access by any of our 400K UW NetIDs, more or less. It uses Shib for authn so theoretically could be extended to any InCommon Federation user (many millions). Would that imply a need to manage a list of who can authenticate, or would it be OK to let any of those millions in (as we do with our federated wiki)? Not clear at this point. That system also lets any id (local or federated) be entered as a group member without doing any checking against a subject store, so we're thinking about how Grouper might support ad-hoc entry of federated ids as members.
So you might want to step back and think about what you're trying to accomplish with what community regarding Grouper.
- RL "Bob"
- Grouper and federative login, Martin van Es, 02/24/2009
- RE: [grouper-users] Grouper and federative login, Chris Hyzer, 02/24/2009
- Re: [grouper-users] Grouper and federative login, Peter Schober, 02/24/2009
- Re: [grouper-users] Grouper and federative login, RL 'Bob' Morgan, 02/24/2009
Archive powered by MHonArc 2.6.16.