On Mon, 28 Apr 2008, Sean Dunne wrote:
>> Isn't what you really want an assertion of the status
>> associated with the
>> scope used to form the eduPersonScopedAffiliation, rather
>> than of the IdP
>> operator? That way you could implement "must have ePSA of
>> 'member' within
>> an HE institution", and we could run one IdP asserting
>> "[log in to unmask]"
>> for 'real' members and [log in to unmask] for alumni.
>>
>
> That would seem to be a particularly perverse use of 'member' in ePSA; I
> thought 'member' was defined as equivelent to 'staff, student, faculty
> or employee' and explicitly not equivalent to 'alum'.
>
> Surely it's much simpler to have one IdP and assert ePSA values
> "[log in to unmask]" for members and "[log in to unmask]" for alumni. Then if
> your IdP is marked as status HE our SP can deal with the situation by
> using the ePSA to distinguish members from alumni.
Yes, you are right - the choice of 'Alumni' in my example was unfortunate.
But the general principle of an HE institution wishing to run an IdP
asserting more than one scope relating to people with differing statuses
stands.
>> A quick peek at the current UK federation metadta suggests
>> that multiple
>> scopes are legal. For instance
>> entityID="urn:mace:eduserv.org.uk:athens:federation:beta" currently
>> asserts lots of scopes, not all of which can possibly be of the same
>> status (anglia.ac.uk vs. test.ovid.com).
>
> I accept that some IdPs have multiple scopes (though I believe that soon
> that will no longer be the case for organisations outsourcing their IdP
> to Eduserv), in which case the status could be associated with the
> scope.
Indeed.
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|