Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Chronological Thread 
  • From: Rob Gorrell <>
  • To:
  • Subject: Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth
  • Date: Thu, 16 May 2013 14:10:32 -0400
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

So I've made some progress... seems what was being displayed by Grouper was the persistantId coming from shibb since eppn was getting filtered out due to a whitespace issue in the scope area of my IdP's metadata. Thats all resolved now and I'm mapping a shibb session into a provisioned grouper subject using eppn and remote_user. But this brings about a new question regarding grouper subjects...

since I'm logging people into grouper using eppn which is a scoped attribute, the subjects i provision must also be scoped (). I hadn't thought about creating my subjects as scoped values... so i could have the shibb sp 'unscope' it before mapping into remote_user and create my subjects as normal usernames as I had intended. But then I started thinking about leaving the subjects scoped to open the door for using grouper in a more federated since (though I hadn't really thought about this prior and I'm not sure how you'd provision external subjects ahead of time).

so I was just curious for those protecting the UI with shibb, are you stripping of the scope from eppn, or are you creating your subjects in grouper fully scoped?


Archive powered by MHonArc 2.6.16.

Top of Page