Shibboleth Developers

[Tom Zeller <>]

>  - AOB

[massive cross-posting]

Per last shib-dev call, I was supposed to write up thoughts regarding
an ldap interface to the attribute resolver.

Given a reasonably simple, generic, and implementable search api
across a variety of sources, e.g. idp - attribute resolver - ldap and
rdbms data connectors, is a search enabled idp realistic ? (where
"idp" means an attribute resolver accessible over saml, maybe ldap,
maybe maybe  spml)

A search enabled "idp" could be a source to grouper for subjects
(members), enabling federated groups. With an ldap interface, a
searchable federation of "idp"s might enable a virtual federated
directory, directly or through provisioning.

A recent thread (Gary Cole @ Oracle) on the oasis pstc explores
simplifying search. In general : "search name1 == value and name2 !=
value2 and name3 starts_with foo" might comprise reasonably
implementable search functionality.

I can imagine a potential collaboration between the sstc and pstc, as
well as a joint conversation between grouper and shibboleth (and
fifer-api ?). And then there's access management (paccman) ...

I have included a link to the Directory of Directories for Higher
Education (DoDHE) project, circa 2001, which I hope will point a way
to a federated ldap dit (directory information tree) including groups
and privileges, whether using referrals or otherwise.

TomZ

[1] https://wiki.shibboleth.net/confluence/display/DEV/DCN20110324

[2] http://lists.oasis-open.org/archives/provision/201104/msg00006.html

[3] 
http://middleware.internet2.edu/dodhe/ppt-html/DoDHE-Parts/DoDHE-Parts_files/v3_document.htm