> You could just be naughty
yep, looks like it's the only way. The spec is forcing the naughtiness
index to increase! The ARPs are easily set up for this SP so I think
ePSA + whatever is the easiest way to go as we were trying to tackle
it via multiple scopes, hence ePSA but their SP can't handle multiple
scopes, hence taking the road of multiple values for ePSA. I suspect
we'll see more and more of these naughty transgressions just to get
shibboleth "working" in the real world.
Being shibboleth enabled and actually supporting what comes as a
consequence are two different things. I haven't seen anything that
betters the current Athens way of working, where an institutional
admin can group resource subscriptions into SP groups and then tell
the local IdP bod to assert those groups for those users. If highly
targeted subscriptions (i.e. resource X for members of module 101) are
going to be available via shibboleth, this is going to be important.
You can't do that via multiple scopes as some SPs don't support
multiple scopes.
thanks
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
On 25 Nov 2008, at 12:07, Andy Swiffin wrote:
>>
>> ePSA has too strict a vocab and ePA requires URL/URN. What we're
>> seeing is the application of shibboleth to "working systems",
>> basically replacing username/password combos with attributes/values
>> and eduPerson can't seem to cope with this "legacy" situation. Was
>> hoping to avoid a custom attribute as their SP might not pass it on
>> (it's not an I2 sp).
>
> It's that old tough nut of pragmatism versus conformity.
>
> It is a shame that they've gone and put
>
> ".2.2. eduPersonEntitlement (defined in eduPerson 200210); OID:
> 1.3.6.1.4.1.5923.1.1.1.7
> Definition
> URI (either URN or URL) that indicates a set of rights to specific
> resources."
>
> and not left it as a free form "put in whatever you want"
>
> You could just be naughty, then, and use ePSA with an ARP that
> releases your "custom values" to that SP and add a deny to the
> permit for your default ARP, i.e.
>
> <Anyvalue release="permit"/>
> <Value release="deny">alistairs_illegal_value</Value>
>
> and nobody else needs to know :-)
>
> Cheers
> Andy
>
>
>
>
>
>
> The University of Dundee is a registered Scottish charity, No:
> SC015096
|