Uncertainty about scopes in metadata and it's relation to scoped attributes.

IAM David Bantz dabantz at alaska.edu
Wed Jul 3 15:32:32 EDT 2019 

You have other ways of distinguishing students from staff
(eduPersonAffiliation? or make use of those mail.pima.edu addresses to
indicate students). Ideally the services (not your identity provider)
determine whether to provide access based on what you assert (for example
that they are students or staff or both or neither); if some services are
not prepared to do that correctly, then you can use those data  if you like
in attribute-filter, to release attributes conditionally (for example only
if they are staff).

David Bantz

On Wed, Jul 3, 2019 at 11:24 AM Mathis, Bradley <bmathis at pima.edu> wrote:

> Thanks for this feedback also.   the EPPNs have started being used more
> recently ... I'm not sure we have any systems that actually are used by
> students e.g.  EPPN of  student1 at mail.pima.edu  so I might could make the
> change and not break anything.   hmm though not sure if it might allow
> students access to things they shouldn't have either. ...  oh boy I better
> think this one through a bit.
>
> Thanks for all the feed back.
>
> Brad Mathis
> IT Principal Systems Analyst
> Infrastructure Services - Applications
> Pima Community College
> 520.206.4826
> bmathis at pima.edu
>
>
>
>
>
>
>
>
>
> On Wed, Jul 3, 2019 at 12:07 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> On 7/3/19, 3:03 PM, "users on behalf of IAM David Bantz" <
>> users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
>>
>> > Assign ePPN of student1 at pima.edu [instead of the email address] in
>> attribute-resolver.
>>
>> Highly advisable, but I assumed those EPPNs were already in wide
>> circulation so as to preclude changing them. If not, by all means, do so.
>>
>> -- Scott
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190703/a21d43b0/attachment.html>

More information about the users mailing list