Shibboleth Developers

[Jim Fox <>]

It looks like we may have to support some eduPersonEntitlements
soon  - to Napster, perhaps.  These questions came up as I looked
into ways to generate entitlement values.  Let me note that present
shibboleth code appears to support only a static form of entitlement:
LDAP or DB fixed attributes of a user, e.g.

    uwNetID: bill
    eduPersonEntitlement: urn:mace:incommon:entitlement:common:1
    eduPersonEntitlement: urn:mace:washington.edu:napster:basic

presumably dorm residents would also have the attribute

    eduPersonEntitlement: urn:mace:washington.edu:napster:dorm

and we would setup arps to release only the napster ones to napster.
(The values in the example are fictitious.)



1) Will there ever be the situation that a particular entitlement
   value will have different meanings to different SPs?


2) We presently store data as group membership rather than
   as individual attributes.  For example, if we have an LDAP
   group of dorm residents:

        cn: Housing.dormer
        member:  id=spud
        member:  id=potato
        ...

   we'd like to generate the "...napster:dorm" entitlement for anyone
   in that group.  I realize 1.3 doesn't support this, but is it
   in shib's future?  Is there other interest in this capability?


3) Might there be dynamic entitlements, say that depend on the
   location of a user's browser or time of day, that would not
   fit the static paradigm?  Or is that outside the scope of
   eduPersonEntitlement?



Thanks for any enlightenment,

Jim