Shibboleth Developers

["RL 'Bob' Morgan" <>]

> 1) Will there ever be the situation that a particular entitlement
>   value will have different meanings to different SPs?

It's hard to guarantee, but it would certainly be a mistake.  This is one 
of the points of promoting the use of URIs for these values, so it's easy 
for sites (SPs or IdPs or whoever) to generate unique values (using their 
domain names typically).  The more likely problem I imagine will be SPs 
using different values to mean the same thing, which represents an 
increased burden for IdPs to manage but at least not a conflict.

> 3) Might there be dynamic entitlements, say that depend on the
>   location of a user's browser or time of day, that would not
>   fit the static paradigm?  Or is that outside the scope of
>   eduPersonEntitlement?

As we know, the proposed standard-library-user entitlement 
(urn:mace:incommon:entitlement:1) in most cases has to support "user at 
library kiosk machine but otherwise unauthenticated", ie browser location. 
Could certainly be other cases of this.  Obviously setting up entitlement 
meanings that the ordinary IdP isn't able to handle would be a bad thing 
for an SP to do.

 - RL "Bob"