Franchise access being authenticated by our Shibboleth IdP

Keith Carr kecarr at sgul.ac.uk
Fri Feb 24 14:42:32 GMT 2012


On 23/02/12, Chad La Joie  <lajoie at itumi.biz> wrote:
> Well, there isn't any "must" or "have to" here.  What Scott and I and
> now Keith H. are trying to do is to head off a mistake we've seen over
> and over that causes problems.
> 
> So, let me be as blunt as possible.  Stop talking about franchises.
> It has *nothing* to do with authorization.
> 
Blunt it good :)

> 
> 
> Create an attribute in your LDAP called "entitlement".  Create
> separate values for access to SP1 ... SPN.
> 
That makes sense

> 
> 
> When a user should have access to SP1, put the SP1 entitlement in to
> the "entitlement" attribute.
> 
So all I need to do is write some JavaScript within the eduPersonEntitlement attribute definition in attribute-resolver.xml to pull out the relevant SP N entitlement from LDAP?

-Keith

> 
> 
> -- 
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120224/634d18e9/attachment.html 


More information about the users mailing list