Geolocation attribute

Peter Schober peter.schober at univie.ac.at
Fri Apr 21 08:02:31 EDT 2017


* Peter Schober <peter.schober at univie.ac.at> [2017-04-21 13:38]:
> * David Langenberg <davel at uchicago.edu> [2017-04-21 13:31]:
> > Agreed – that the vendor is asking you to supply an attribute seems
> > to indicate flexibility in this area, else they could just do the
> > lookup.
> 
> Well, if there's flexibility I'd send them what they don't already know:
> The locations the subject /should/ be entitled to use the software from.
> (OP: "We have the primary location of each user in our LDAP")
> Not what my IDP sees as their location.

That's basically like a dynamic way of implementing IP access
restrictions, something which some resource owners (need to) insist on
(e.g. national licenses).  Only instead of the resource owner getting
the authorized IP ranges out of band once, and configuring them
statically (until the next update) the IDP would send those as
attribute(s). The SP then only needs to determine whether
ip_in_range(remote_addr, range) is true on access.

-peter


More information about the users mailing list