> But isn't this what eduPersonEntitlement is for?
if it was actually useable in this case Andy! URL/URN isn't an option.
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
On 25 Nov 2008, at 11:19, Andy Swiffin wrote:
>>>> On 25/11/2008 at 10:44, in message
> <[log in to unmask]>, Alistair Young
> <[log in to unmask]> wrote:
>> Hi folks,
>>
>> are there any best practices for the use of ePSA? The specs have a
>> tightly controlled vocabulary which applies in the context of the
>> IdP.
>> However, we're seeing a use case where we'd like to pass values that
>> are in the context of a mutually agreed affiliation between the IdP
>> and SP. Basically, the SP would be defining finer grained
>> affiliations
>> based on resources held by the SP and the IdP would assert
>> accordingly, e.g. "member allowed to access Resource X". AFAIK
>> OpenAthens allows you to do this using ePSA, which can be used to
>> contain user roles that are Athens permission sets, which are
>> obviously outside the controlled vocabulary of ePSA.
>
> Well, according to
>
> http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation
>
>
> 2.2.1. eduPersonAffiliation (defined in eduPerson 1.0); OID:
> 1.3.6.1.4.1.5923.1.1.1.1
> ...
> Permissible values
> faculty, student, staff, alum, member, affiliate, employee, library-
> walk-in
>
>> The other way is to define a completely new attribute (OpenAthens
>> again, userRole) but some SPs might not like that. I don't see a
>> problem using ePSA to transport custom affiliations but just thought
>> I'd check with those who know these things.
>>
>
> But isn't this what eduPersonEntitlement is for? I don't see why
> you'd need to tinker with ePSA when you can use EPE for that finer
> grained "entitlement", and this is what is being done in the Fed'
> e.g. "Film and sound on line".
>
> Andy
>
>
> The University of Dundee is a registered Scottish charity, No:
> SC015096
|