AW: Release different value for affiliation based on service provider

Baron Fujimoto baron at hawaii.edu
Wed Nov 14 14:20:15 EST 2012 

Yes, that's probably a better solution for what the original poster wanted.
In our specific case, we're mapping the (student, faculty, staff) values
to an attribute value "member". Sometimes we might want student mapped to
member, and sometimes not. Is there a way we could do that in the filter alone?

-baron

On Wed, Nov 14, 2012 at 10:16:30AM -0600, Christopher Bongaarts wrote:
>This is what we do as well.  The only place I can think of where you 
>would have to push the logic back into the resolver is if a specific 
>user's *value* of the attribute depends on the SP, as opposed to the 
>idea of releasing specific values that are otherwise constant per-user.
>
>On 11/14/2012 2:29 AM, Ortner Nikolaus wrote:
>
>> You could also use a single attribute (uh_eduPersonAffiliation) with the full information (faculty, staff, student) and have the filter sort it out.
>>
>> Something like:
>> ===== conf/attribute-filter.xml =====
>>       <!-- SP_1 -->
>>       <afp:AttributeFilterPolicy id="sp_1">
>>           <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
>>                   value="https://sp1.example.com" />
>>
>>           <afp:AttributeRule attributeID="uh_eduPersonAffiliation">
>> 	<afp:PermitValueRule xsi:type="basic:OR">
>> 	    <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
>> 	    <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
>> 	</afp:PermitValueRule>
>>        </afp:AttributeRule>
>>
>>       </afp:AttributeFilterPolicy>
>>       <!-- /SP_1 -->
>>
>>
>>       <!-- SP_2 -->
>>       <afp:AttributeFilterPolicy id="sp_2">
>>           <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
>>                   value="https://sp2.example.org" />
>>
>>           <afp:AttributeRule  attributeID="uh_eduPersonAffiliation ">
>>               <afp:PermitValueRule xsi:type="basic:ANY" />
>>           </afp:AttributeRule>
>>
>>       </afp:AttributeFilterPolicy>
>>       <!-- /SP_2 -->
>> ===============================
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>>
>
>
>-- 
>%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
>%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
>%%  University of Minnesota    %%  +1 (612) 625-1809    %%
>--
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list