Shibboleth Developers

[Walter Hoehn <>]

Well, the canonical representation of the ARP is XML.  The useful bit 
about ldap here is quick retrieval, tying policies to users and groups, 
and possibly use of the ACL mechanisms.  Why not just stick the raw XML 
in an attribute?

-Walter


On Jun 30, 2004, at 10:18 AM, Digant C Kasundra wrote:

> Hello folks,
>
> In my perhaps foolish attempt to be useful, I'm going to try
> implementing the LDAPArpRepository.  I think one of the things that 
> must
> be discussed (here or elsewhere) is what ARP entries in the directory
> should look like, and perhaps drafting a schema as well.
>
> My immediate concern is how best to represent ARP information in the
> directory.  To form the heirarchy of ARP, I can see perhaps a base 
> entry
> for the identity-provider-wide default ARP.  From here, I would imagine
> there would be subentries per user.  And under these, there could be
> subentries per service-provider (for user ARP's per service-provider
> functionality, which I think could potentially destroy your directory
> due to sheer volume).
>
> The other topic of discussion should be how best to represent the
> attribute-permit pairs (urn:mace:...:eppn:deny perhaps?)
>
> -- DK