Shibboleth Developers

[Digant C Kasundra <>]

That could work and would definately simply things.  On the other hand,
if things were parsed out a bit, it might be easier to make frontend's
to manage it and easier for non-XML apps to access it.  Just a
thought....  I know this opens up a whole new can of worms which we may
not want to address right now and instead, just stick with XML in the
attribute (or perhaps a mix of both of some kind -- tree structure for
the heirarchy, xml for the attribute-permit pair?)

-- DK

On Wed, 2004-06-30 at 11:31, Walter Hoehn wrote:
> Well, the canonical representation of the ARP is XML.  The useful bit 
> about ldap here is quick retrieval, tying policies to users and groups, 
> and possibly use of the ACL mechanisms.  Why not just stick the raw XML 
> in an attribute?
> 
> -Walter
> 
> 
> On Jun 30, 2004, at 10:18 AM, Digant C Kasundra wrote:
> 
> > Hello folks,
> >
> > In my perhaps foolish attempt to be useful, I'm going to try
> > implementing the LDAPArpRepository.  I think one of the things that 
> > must
> > be discussed (here or elsewhere) is what ARP entries in the directory
> > should look like, and perhaps drafting a schema as well.
> >
> > My immediate concern is how best to represent ARP information in the
> > directory.  To form the heirarchy of ARP, I can see perhaps a base 
> > entry
> > for the identity-provider-wide default ARP.  From here, I would imagine
> > there would be subentries per user.  And under these, there could be
> > subentries per service-provider (for user ARP's per service-provider
> > functionality, which I think could potentially destroy your directory
> > due to sheer volume).
> >
> > The other topic of discussion should be how best to represent the
> > attribute-permit pairs (urn:mace:...:eppn:deny perhaps?)
> >
> > -- DK