Implementing Shibboleth - fine-grained access w/in an application
Cantor, Scott
cantor.2 at osu.edu
Tue Jan 20 15:41:32 EST 2015
On 1/20/15, 7:12 PM, "Joe Blotner" <jblotner at marchex.com> wrote:
>Has anyone used Shibboleth to solve a use case similar to this one? If
>so, can you give me an
> overview of how it has been solved?
Shibboleth is agnostic. It doesn't know what you're passing in attributes
and what they mean, it's a separate step to define new attributes or
repurpose standard attributes to capture the information that an IdP can
communicate and use them in an SP or application.
There's no single answer to "how it works", it works in whatever you
profile it to work.
In higher education, groups and entitlements are both used to some degree
and we have standard attributes for both. In practice, authorization is
rarely done cross-organizationally, and is a local application issue. In
enterprise deployments that are internal to one org, SAML is often used to
communicate roles, entitlements, groups, etc.
-- Scott
More information about the users
mailing list