Shibboleth Developers

A suggestion for the ARP text:

I've taken the text from section 4.v. (Establishing Default ARPs for 
community), and rearranged it  quite a  bit......

The resulting text is (I think) suitable  for including in Section 2 
(First Steps),  as a new  section (Understanding  ARPs, Planning for 
ARPs,?). Section 2 seems to contain "Planning for Shib" type  info, 
and I  think this text might be consistent with  that intent.

At the end of this note (below the string "Info not used")  is some 
text from the original  4.v. section. I think 4.v. should remain, but 
pruned  down, and with the "what is an ARP" material removed. It 
would then still have info related to its title (Establishing Default 
ARPs for community).

Thoughts?

The Attribute Authority maintains a set of rules, or policies, that 
define which attributes are released to which targets. These rules 
are  called  Attribute Release Policies (ARPs). When a browser user 
tries to access a resource, the  SHAR asks the  origin  site AA to 
release "all allowed attributes". The SHAR provides its own name, 
and  an optional URL. The AA locates the matching ARPs, determines 
which attributes and values it can release, and  then obtains the 
values actually associated  with the browser user. The AA sends these 
attributes and values back to the SHAR.

The AA locates the relevant ARP by first matching against the SHAR 
name. Once  it finds  a  matching SHAR, the AA searches the URL 
trees associated  with that SHAR. The best match is selected, and the 
list of attributes is obtained from that  ARP. Although an arbitrary 
number of ARP's may be defined for an arbitrary number of SHAR's and 
URL trees within SHAR's, only the most precisely matching ARP is 
considered a match, and then  used to determine the release of 
information to a target site.  Domain names are processed first in 
reverse component order, followed by the processing of the rest of 
the URL in normal order.  * is a valid wildcard and all ARP's are 
assumed to terminate in a *.

The ARP, however, is really a template. The AA retrieves the 
attributes and values associated  with the  browser user (typically 
from the campus  directory). The AA then uses the ARP as a filter, to 
determine  which of the attributes actually associated with the user 
should be released. The data sources for the AA are authoritative, 
not the  ARPs. If a user does not possess a particular attribute or 
value, then an ARP cannot cause that attribute to returned to  the 
SHAR.

Every ARP specifies the set of attributes to be released. In 
addition, each attribute could also have a filter associated with it, 
specifying which values should be blocked (ie not released to  the 
SHAR).

There are two kinds of ARPs: site-wide  (applying to every user  at 
the site),  and individual user (applying only to the owning user). 
Site ARPs are created and maintained by the Site Administrator, and 
there can be more than one site ARP. However, only one set of site 
ARP's can be defined for a given AA. If both a site ARP and a user 
ARP are applicable to a particular SHAR/URL combination, then the 
attributes released are the union of the two ARP's necessarily 
excluding any attributes marked exclude and necessarily including any 
attributes marked include.

In  addition, Site ARPs have  some special functionality that is not 
available with user ARPs:

	-  A default  site  ARP can be created, that will be used  if 
the AA fails to find a precise  match. For instance, the  default 
site  ARP could specify the release of  "AFFILIATION=MEMBER". If this 
were the only ARP, then  this vallue would be  released to all of the 
commercial information providers that the  campus had agreements 
with. Nothing elsewould be needed. On the down side, this value would 
also be released to  any other Shib-enabled site for which a 
specific  ARP did not exist. Individual  campuses  must judge what 
level of exposure this creates.   Since these settings will govern 
the privacy of your users, site ARP's should be defined carefully 
before any sensitive information is utilized, and users should be 
informed of their reponsibility to regulate the release of sensitive 
information.

	- The release of certain attributes (Q: or does  exclude 
apply to  values?) to certain targets may be marked exclude, which 
blocks the release of that attribute, even if the user tries to 
specify it for themself.

	- The release of certain attributes to certain targets may be 
marked include, which prevents the user from filtering  (blocking the 
release of that attribute -- Q - or is this value?).


Info not used (perhaps best kept in the original section)

A set of default ARP's should be established for the community.  When 
Shibboleth is installed, there are no defined ARP's, and therefore, 
nothing will ever be released.  This must be modified using either 
the text-based editor or the MyAA webapp.  Since these settings will 
govern the privacy of your users, site ARP's should be defined 
carefully before any sensitive information is utilized, and users 
should be informed of their reponsibility to regulate the release of 
sensitive information.

Management of ARP's may be delegated to other users to allow for 
distributed editing.  Each component of each ARP -- SHAR, URL, and 
attribute -- may be given an ACL.  Users listed in the ACL will be 
granted the ability to modify that particular ARP object and create 
additional ARP objects further down the ARP tree: the manager of a 
SHAR ARP could add new URL trees, but the manager of a URL tree could 
not add new URL trees within the SHAR.  Control of an ARP object 
grants the ability to modify any component on the ARP tree beneath 
that object.

For more precise information regarding how ARP's are processed or 
syntactically formed, please refer to section 5.a.i.


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--