Skip to Content.
Sympa Menu

shibboleth-dev - Use case for origin independant groups of users

Subject: Shibboleth Developers

List archive

Use case for origin independant groups of users


Chronological Thread 
  • From: Thomas Lenggenhager <>
  • To:
  • Subject: Use case for origin independant groups of users
  • Date: Tue, 28 Oct 2003 16:23:06 +0100
I'd like to propose a use case which is not very well covered
with the current Shibboleth implementation.

Origin Independent Groups of Users
==================================
Let us assume there is a distributed research team made up of a few
groups of researchers, each located at a university already equipped
with a Shibboleth origin installation and all are part of the same
federation.

This research team wants to protect access to their Shibboleth enabled
web server to members of their teams.


How to solve that case with the current Shibboleth?
===================================================
With the existing Shibboleth they would have to use a unique ID like
the eduPersonPrincipalName and list all the EPPNs of their team members
in the target authorization. This is not a really user-friendly way
of configure it and does not scale well for groups beyond 10 people.


Idea for a Possible Addition to Shibboleth Resource Manager
===========================================================
- The Shibboleth Resource Manager would have to support the use of
an origin independent Group Management Server (GMS) which would
act similarly to an AA server.

- From the authorization config, the target fetches the URL of the
GMS to verify whether the person with the EPPN provided (instead
of a handle) is member of the group specified.
The answer of the GMS would just be a YES or NO assertion.

- A GMS itself should include a Shibboleth protected web server,
however, its additional functionalities are not directly linked
with Shibboleth.

- Setting-up a new group
A group admin gets authorized to configure a new group on the GMS.
The group admin is able to approve additional members.

- Adding members to a group
The group admin invites potential members to join the group by
providing them a URL under which they can apply for subscribtion.
By contacting that URL, the user provides the EPPN as well as some
further attributes which allow the group admin to decide on
membership for that user.
By accepting the user, the EPPN gets added to the list of members
and is therefore available for future tests on group membership.

Sure you have further solutions in mind for that use case.


I think support for groups made up of people from more than one origin
site will become a need as soon as Shibboleth is deployed wider and
through an extension of Shibboleth tackling that we could increase its
usefulness.

For authorizing groups, the current Shibboleth heavily depends on
eduPersonEntitlement which is a way for official groups of people
belonging to one origin site only or for cases like JSTOR where an
important information supplier defines which value to use.
Smaller or more ad-hoc groups of people will not easily be able to
get their special entitlement value into the attribute database of
the origin site.

Thomas
_____________________________________________________
Thomas Lenggenhager


SWITCH The Swiss Education & Research Network
Limmatquai 138 Tel: +41 1 268 1520
CH-8001 Zurich, Switzerland Fax: +41 1 268 1568


Archive powered by MHonArc 2.6.16.

Top of Page