shibboleth-dev - ARP regexp?
Subject: Shibboleth Developers
List archive
- From: Valery Tschopp <>
- To: ,
- Subject: ARP regexp?
- Date: Tue, 22 Feb 2005 18:59:33 +0100
- Organization: SWITCH - Swiss Education & Research Network
Hi,
We have a problem with the ARP regexp matching function.
The arp.site.xml define a default set of anonymous attributes ever released (AnyTarget) and an extended set of attributes released only inside our domain (privacy problem). User
User's ARP are based on a template. And each user can choose (allow or deny) if he agree to release outside our domain.
How could we define the Resource matchFunction in the user ARP to define the rule 'target is not *.switch.ch' ?
There is no 'not-this-string' in regexp !?!
Or any other idea how to implement this case?
What we would like is something so:
site.ARP:
rule: any target (only anonymous attributes)
allow: uniqueID
allow: homeOrganization
allow: homeOrganizationType
allow: affiliation
rule: *.switch.ch (attributes released only inside *.switch.ch)
allow: givenname
allow: surname
allow: email
allow: phone
allow: studyBranch1
allow: studyBranch2
allow: studyBranch3
allow: studyLevel
user.template.ARP: (attributes released outside *.switch.ch)
rule: not *.switch.ch
allow: givenname
allow: surname
allow: email
allow: phone
Based on the template, users can choose to allow or deny attribute release outside the switch.ch domain. Like so:
user.A.ARP: (all allowed)
rule: not *.switch.ch
allow: givenname
allow: surname
allow: email
allow: phone
user.B.ARP: (mixed allow and deny)
rule: not *.switch.ch
allow: givenname
allow: surname
deny: email
deny: phone
user.C.ARP: (all denied)
rule: not *.switch.ch
deny: givenname
deny: surname
deny: email
deny: phone
-> user A attributes released outside switch.ch:
{ uniqueID,
homeOrganization,
homeOrganizationType,
affiliation,
givenname,
surname,
email,
phone }
-> user B attributes released outside switch.ch:
{ uniqueID,
homeOrganization,
homeOrganizationType,
affiliation,
givenname,
surname }
-> user C attributes released outside switch.ch:
{ uniqueID,
homeOrganization,
homeOrganizationType,
affiliation }
There is certainly another way to implement the same, but up to now I didn't find it.
Any idea are welcome ^_^
Thanks in advance,
Valery
--
Valery Tschopp Software Engineer
SWITCH The Swiss Education and Research Network
AAI Neumuehlequai 6 8001 Zurich
phone:+41 1 268 1515
email:
- ARP regexp?, Valery Tschopp, 02/22/2005
- Re: ARP regexp?, Oleksandr Otenko, 02/23/2005
Archive powered by MHonArc 2.6.16.