Skip to Content.
Sympa Menu

shibboleth-dev - Attributes, and Shibboleth -- AAPs and RM policy rules

Subject: Shibboleth Developers

List archive

Attributes, and Shibboleth -- AAPs and RM policy rules


Chronological Thread 
  • From:
  • To: "'Shibboleth Project'" <>, <>,
  • Subject: Attributes, and Shibboleth -- AAPs and RM policy rules
  • Date: Fri, 18 Jan 2002 15:29:29 -0500
(modified) list of Attributes to support in the initial version:

Affilliation
SHIB_EPPN
Extension
Entitlement
EnrolledCourse
OrganizationalUnit

?? demographic info...... (eg email, name, etc)

I think it would be useful to ensure that we have the same understanding of the role and function of AAP processing and RM processing, and then take a look at how consistently we're processing each of these attributes.

AAP processing is concerned with whether to ACCEPT the assertion. It will evaluate the asserting party (do I know who they are, can they make assertions about this security domain). Its also likely to verify that the SecurityDomain in the assertion is equal to the Name of the Domain (passed from the WAYF to the SHIRE). It seems sensible to me that the AAP may be the right time to verify (for some attributes) that a particular SecurityDomain can assert a particular urn. However, doing this will require parsing the urn, and that may be "bad behavior in the extreme". (Actually, I've forgotten the example where this might be useful. Looking at the RM policy down below, I'm not sure that gets any simpler if the AAP could do this check... if anyone can see an example of this, please post)

On the other hand, I think it might be useful if AAP processing constrained itself to looking at asserting party and Security Domain, and never bothered with AttributeValue.

I'd propose that policy rules look something like this:

(AttributeName):(SecurityDomain):(AttributeValue)

Examples would include:

Affilliation:brown.edu:staff
SHIB_EPPN:brown.edu:Steven_Carmody
Extension:brown.edu: urn:mace:brown.edu:group: NeedBlindTaskForce
Entitlement:brown.edu: urn:mace:xSTOR5.org:contract1234
EnrolledCourse:brown.edu:Physics201
OrganizationalUnit:brown.edu:Department of Economics (need a word here about embedded blanks..)

interestingly, this proposal seems to work for all of the attributes we're currently concerned about. So, if this turns out to be a workable, generalizable rule, this may help us to determine which Entitlement option to choose.....


--

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


  • Attributes, and Shibboleth -- AAPs and RM policy rules, Steven_Carmody, 01/18/2002

Archive powered by MHonArc 2.6.16.

Top of Page