Shibboleth Developers

[Scott Cantor <>]

I added some AAP elements to the shib schema, and whipped up a quick
sample here:

http://usfs2.us.ohio-state.edu/CIC/Shibboleth/aap_example.xml

It illustrates a couple of example concepts:

The AAP is a set of rules, each one referencing an attribute by name.
The schema enforces one rule per attribute (no ambiguity).

Each rule contains an optional default policy (<AnySite>) and zero or
more explicit SiteRules. Each rule is a set of Values (literals or
regexps). The default policy allows for a special syntax for replacing a
%s in the value string with the name of the origin site in a particular
evaluation.

The example policy says:

For eduPersonEntitlement, accept from any origin site a value of the
form "urn:mace:<origin site name>:jstor"

Also, for the osu.edu origin site, accept a literal value
"http://osu.edu/eduPersonEntitlement/foo/123"; or any value beginning
with "http://osu.edu/eduPersonEntitlement/bar/"; and at least one more
character after the slash.

This design can handle any basic content model attributes (stuff that's
just a value stuck inside the <AttributeValue> tags), and should be able
to generalize beyond to more complex attributes if we want it to,
probably using XPath boolean expressions.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--