shibboleth-dev - Re: generating eduPersonEntitlements
Subject: Shibboleth Developers
List archive
- From: Keith Hazelton <>
- To:
- Subject: Re: generating eduPersonEntitlements
- Date: Wed, 13 Jul 2005 15:24:08 -0700
Jim Fox wrote:
Flat "No." Though I expect other answers will be put forward.
It looks like we may have to support some eduPersonEntitlements
soon - to Napster, perhaps. These questions came up as I looked
into ways to generate entitlement values. Let me note that present
shibboleth code appears to support only a static form of entitlement:
LDAP or DB fixed attributes of a user, e.g.
uwNetID: bill
eduPersonEntitlement: urn:mace:incommon:entitlement:common:1
eduPersonEntitlement: urn:mace:washington.edu:napster:basic
presumably dorm residents would also have the attribute
eduPersonEntitlement: urn:mace:washington.edu:napster:dorm
and we would setup arps to release only the napster ones to napster.
(The values in the example are fictitious.)
1) Will there ever be the situation that a particular entitlement
value will have different meanings to different SPs?
2) We presently store data as group membership rather than
as individual attributes. For example, if we have an LDAP
group of dorm residents:
cn: Housing.dormer
member: id=spud
member: id=potato
...
we'd like to generate the "...napster:dorm" entitlement for anyone
in that group. I realize 1.3 doesn't support this, but is it
in shib's future? Is there other interest in this capability?
I think I'd handle this as a variant of #3 below:
That's a perfectly fine use of ePEntitlement. The dynamic generation would probably happen in a custom attribute resolver plug-in to the IdPs attribute authority, I'd guess. --Keith
3) Might there be dynamic entitlements, say that depend on the
location of a user's browser or time of day, that would not
fit the static paradigm? Or is that outside the scope of
eduPersonEntitlement?
Thanks for any enlightenment,
Jim
--
________________________________________________________
Keith Hazelton Senior IT Architect, UW-Madison
(608) 262-0771 Division of Info. Technology
(608) 877-0977 (home) 1210 W. Dayton St., rm. 2164
http://arch.doit.wisc.edu/keith Madison, WI 53706
- generating eduPersonEntitlements, Jim Fox, 07/13/2005
- Re: generating eduPersonEntitlements, Keith Hazelton, 07/13/2005
- RE: generating eduPersonEntitlements, Scott Cantor, 07/13/2005
- RE: generating eduPersonEntitlements, Jim Fox, 07/14/2005
- RE: generating eduPersonEntitlements, Scott Cantor, 07/14/2005
- RE: generating eduPersonEntitlements, Jim Fox, 07/14/2005
- Re: generating eduPersonEntitlements, RL 'Bob' Morgan, 07/13/2005
- <Possible follow-up(s)>
- Re: generating eduPersonEntitlements, Walter Hoehn, 07/18/2005
- Re: generating eduPersonEntitlements, Jim Fox, 07/18/2005
Archive powered by MHonArc 2.6.16.