shibboleth-dev - RE: Attributes, and Shibboleth -- Extension
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: "'Shibboleth Project'" <>, <>, <>
- Subject: RE: Attributes, and Shibboleth -- Extension
- Date: Sat, 19 Jan 2002 15:46:26 -0500
- Importance: Normal
- Organization: The Ohio State University
> <Attribute AttributeName="eduPersonExtension"
> AttributeNamespace="urn:mace:eduPerson">
> <AttributeValue xsi:type="eduPerson:ExtensionType">
> <Entitlement URI="urn:mace:brown.edu:group: NeedBlindTaskForce"/>
> </AttributeValue>
> </Attribute>
>
> This might even enable some useful AAP checking... altho I doubt
> we're supposed to parse these strings; I fear we're supposed to
> treat them as opaque.
>
> It would be helpful, tho, if (for Extension) we could require that
>
> SecurityDomain equal that "field" in urn:mace: SecurityDomain:blah
>
> this certainly won't always hold for entitlement, tho.
I'm not sure that there's any rule one way or the other that says what
you can do with a URN. It's a name, and names are whatever you want them
to be, basically. There are resolvers for URN namespaces that turn them
into URLs, so obviously you can parse them if you want to.
The issue here is that only certain organizations should be allowed to
assert membership in groups identified with certain URIs. The only way
to enforce that is to express that mapping somehow.
-- Scott
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- Attributes, and Shibboleth -- Extension, Steven_Carmody, 01/18/2002
- RE: Attributes, and Shibboleth -- Extension, Scott Cantor, 01/19/2002
Archive powered by MHonArc 2.6.16.