Questions about returning roles in the Assertion
cantor.2 at osu.edu
Thu Aug 30 21:42:31 EDT 2012
On 8/30/12 9:14 PM, "Yaowen Tu" <yaowen.tu at gmail.com> wrote:
>What if in the LDAP it also has role definitions, and defined which users
>belong to which roles. Would it be possible to retrieve a list of roles
>of a particular user?
Not unless you store the role definitions inside the user objects using
isMemberOf or something, or add a connector that queries some attribute of
the role objects using filters based on the userid. I think the normal
approach is to store both ways. Users carry their groups and groups
contain their users, and something else maintains both.
>I am not very familiar with LDAP, so I hope that people in this list have
>done similar things before.
If you're not familiar with it, I'd avoid it, personally. Use a database
if that's what you're comfortable with.
>2) This is more of a general or best practice question: Is it common to
>include role information in the Assertion?
Yes, unless you're from the Burton Group apparently. I just sat through a
presentation today wherein I was told authoritatively that SAML wasn't
designed to carry authorization attributes. Imagine my surprise.
> For existing IdP providers especially those enterprise applications,
>what kind of information is usually included in the Assertion?
It varies widely. Some deployments are purely built on simple identity
data and some include a lot of information beyond that.
More information about the users