Shibboleth Developers

[Jim Fox <>]

> It supports it via attribute plugins. I'm not sure how else it could be
> supported. I guess some kind of generic group query connector that results
> in an entitlement?

Yes, the CustomDataConnector supports most things we need, but not
efficiently.  The problem is the overloaded nature of ePEntitlement,
which really ought to be a different attribute for each SP.

Suppose I have SP-1 that wants an entitlement that's hard to compute -
say it accesses a database somewhere.  And an SP-2 entitlement that
accesses some other database.  And SP-3 that only wants "member".  Now
I have only one chance to define an attribute connector for ePEntitlement
- so it has to include data connectors for every possible SP.  My arps
also can only reference ePEntitlement.  They can later filter values,
but only after those values have been computed.  So, on every access from
SP-3 I have to compute the ePEntitlement attributes for SP-1, SP-2, and
every other SP, only to filter them all out and return "member".

What I really want is "Entitlement-sp-1", which I compute only if the
SP is SP-1; "Entitlement-sp-2", which I compute if SP-2; and the
"Entitlement-sp-3", which I compute if the SP is SP-3.  Before responding
with attributes I combine all the "Entitlements*" into one
"eduPersonEntitlement" and send that.  This way I can avoid the
time-consuming calculations for entitlements that I know I will not need.

Jim