Shibboleth Developers

On monday's call, I agreed to try to develop scenario's describing 
some of the more "likely" real-world situations we should expect to 
encounter on campuses. Once we agree on a set of use cases, we can 
start to explore the implications for the UI, and for the underlying 
campus middleware infrastructure.

- Jane Doe is teaching Chem 101. She has convinced a friend at 
another university to grant the Chem 101 students access to a 
controlled web site in the friend's department. Jane goes to the AA 
user interface, authenticates, and then enters an ARP that specifies 
that

        - for any student in Chem 101
        - accessing the target "friends web site"
        - the attribute "enrolledCourse=Chem101" will be released.
	- she also enters a filter blocking the release of EPPN (in 
case any individual student attempts to create their own ARP 
releasing EPPN)

Q's - how do we know Jane is authorized to do this?
	- if a student creates their own ARP, attempting to override 
Jane's, would we, could we find Jane's filter? Or does the site admin 
have to enter that?

- Chem 101 again. Except the grad student TA enters the ARP. How do 
we know this person is authorized?

- Several faculty and grad students in the planetary geology group at 
State U are members of a multi-campus research project. One of the 
grad students manages ARPs for the group. A new controlled web site 
is created at Other U. The ARP manager enters a new ARP specifying:

        - for any member of the planetary group
        - accessing the site at Other U
	- the attribute Extension 
URI="urn:mace:state.edu:group:geology:planetary-group" will be 
released

Q's - any authorization issues?
	- presumably, we want the ARP manager to see a more user 
friendly UI than having to enter this URN... what should that look 
like?

- Joe, the office administrator in the Office of Faculty Governance, 
is also the webmaster for the office. He wants to give all the 
faculty access to a new web site containing the reports of a Task 
Force. He enters a new ARP specifying:

        - for any member of the faculty
        - accessing this new web site
        - release the attribute "AFFILIATION=FACULTY"

- Jane Doe, the Department Manager in Physics, is also responsible 
for managing the ARPs controlling access to resources licensed by the 
department. The department licenses access to BLAH, a journal devoted 
to articles about the new sub-atomic BLAH particle. She enters an ARP 
specifying:

        - for any member of the physics faculty
        - for an grad student in Physics
        - any undergraduate Physics concentrator
        - accessing the BLAH journal site
	- release the attribute Entitlement 
URI="urn:mace:blah.org:contract1234"

Q's - any authz over who can specify the release of this URI?
        - a friendly UI.....

- semester roll-over. The site admin does something to remove all of 
the ARPs from the AA that are related to courses taught last 
semester..... and then loads the "standard set" of course-related 
ARPs for the upcoming semester.


--

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--