Hi folks,
I was wondering if anyone has any best practice recommendations based on
previous experience with suppliers. The scenario is a single IdP asserting
multiple scopes for a single user. i.e. domain.ac.uk, sub.domain.ac.uk and
having a supplier in the federation use these scopes to tailor resource
access.
All users in domain.ac.uk get access to X resources. Users who are deemed
to be affiliated to sub.domain.ac.uk get access to Y resources, in
addition to X resources.
This is possible using OpenAthens and permission sets. Has anyone tried
this with a supplier in the federation using attributes?
Would it be best to use eduPersonScopedAffiliation to do this?
<Attribute AttributeName="...eduPersonScopedAffiliation"
AttributeNamespace="...">
<AttributeValue Scope="domain.ac.uk">member</AttributeValue>
<AttributeValue Scope="sub.domain.ac.uk">member</AttributeValue>
</Attribute>
This is where the real value of shibboleth comes in, partitioning
resources based on institutional structure/licensing.
thanks,
Alistair
--
mov eax,1
mov ebx,0
int 80h
|