Shibboleth Developers

At 12:18 PM -0500 12/14/01, 

 wrote:
> Example 7: Ms. Bar is  member of the group "NeedBlindTaskForce". The
> institutional LDAP directory has some way of indicating membership 
> in this group.
>
> The corresponding ARM would look like this:
>
> <Attribute AttributeName="eduPersonExtension"
>     AttributeNamespace="urn:mace:eduPerson">
>   <AttributeValue xsi:type="eduPerson:ExtensionType">
>     <group>NeedBlindTaskForce</group>
>   </AttributeValue>
> </Attribute>

When I originally proposed this, I wasn't thinking too much about the 
AAP, and I was  expecting that the RM's policy rules  would contain 
something like NeedBlindTaskForce@SecurityDomain.

However, I  think much of the discussion  about entitlements  also 
applies to this attribute. So I'd now propose the following  for 
example  7:

(definition of ExtensionType to be the same as  EntitlementType)

<Attribute AttributeName="eduPersonExtension"
    AttributeNamespace="urn:mace:eduPerson">
  <AttributeValue xsi:type="eduPerson:ExtensionType">
    <Entitlement URI="urn:mace:brown.edu:group: NeedBlindTaskForce"/>
  </AttributeValue>
</Attribute>

This might even enable some useful AAP checking... altho I doubt 
we're supposed to parse these strings; I fear we're  supposed to 
treat them as opaque.

It would be helpful, tho, if (for Extension) we could  require  that

SecurityDomain equal that "field" in urn:mace: SecurityDomain:blah

this certainly won't  always hold for entitlement,  tho.
--

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--