Implementing Shibboleth - fine-grained access w/in an application

Cantor, Scott cantor.2 at osu.edu
Tue Jan 20 15:41:32 EST 2015


On 1/20/15, 7:12 PM, "Joe Blotner" <jblotner at marchex.com> wrote:



>Has anyone used Shibboleth to solve a use case similar to this one?  If 
>so, can you give me an
> overview of how it has been solved?

Shibboleth is agnostic. It doesn't know what you're passing in attributes 
and what they mean, it's a separate step to define new attributes or 
repurpose standard attributes to capture the information that an IdP can 
communicate and use them in an SP or application.

There's no single answer to "how it works", it works in whatever you 
profile it to work.

In higher education, groups and entitlements are both used to some degree 
and we have standard attributes for both. In practice, authorization is 
rarely done cross-organizationally, and is a local application issue. In 
enterprise deployments that are internal to one org, SAML is often used to 
communicate roles, entitlements, groups, etc.

-- Scott



More information about the users mailing list