|
Entitlement generation at UW for Shib 1.3
| Summary: |
Calculates the shibboleth entitlement attribute from
other attributes.
|
|---|
| Version: | 1.0
|
|---|
| Download: |
Java source: EntitlementCalculator.java
|
|---|
A Shibboleth entitlement
is a multi-purpose, poorly defined, catch-all
bucket of an attribute. As such it generally
has to be calculated, rather than just looked up.
This 'data connector'
for Shibboleth version 1.3
computes the entitlement attribute value
from the values of other attributes. Other connectors
supply those values. Arps select which entitlement values
are released to specific service providers.
The entitlement calculator's configuration contains a list of dependencies,
followed by one or more entitlement specifications. Each Entitlement
element defines the entitlement value and the conditions necessary
to release that value. The connector configuration looks
like:
<!-- 'Connector' for entitlements -->
<CustomDataConnector id="entitlement-calculator"
class="edu.washington.EntitlementCalculator">
<!-- must list all possible dependencies -->
<AttributeDependency
requires="one of your previously specified attributes"/>
<AttributeDependency
requires="another of your previously specified attributes"/>
. . .
<Entitlement xmlns="urn:washington.edu:dataconnector:1.0"
value="entitlement value to send">
<Condition
attribute="one of your previously specified attributes"
value="value required"/>
<Condition
attribute="another of your previously specified attributes"
value="value required"/>
. . .
</Entitlement>
. . .
</CustomDataConnector>
- By default multiple conditions are OR'd, meaning any one match satisifies
the conditions and the entitlement is generated. You can make the
operation an AND with the Entitlement element attribute "op="AND"".
- An entitlement value may contain attribute substitutions. If a value string
contains "%attr%" the value of the attribute will be
substituted.
- Multiple valued attributes will generate multiple entitlement values.
- Any attributes used for substitution must be specified in the attribute dependency section.
- The calculator could be used to generate any attributes - not just entitlements.
- The namespace attribute for Entitlement can be any unique urn. You have
to specify one because the Entitlement element is not in any schema definitions.
The connector returns a single source name, "entitlement",
so it is referenced like this:
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonEntitlement"
sourceName="entitlement">
<DataConnectorDependency requires="entitlement-calculator"/>
</SimpleAttributeDefinition>
This example shows
how we might compute a couple of entitlements:
- the 'standard' entitlement "common:1" (UW person or walk-in) and
- an entitlement
for WebAssign (includes course information).
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement"
sourceName="entitlement">
<DataConnectorDependency requires="entitlement-calculator"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:washington.edu:crs:sln"
sourceName="sln">
<DataConnectorDependency requires="courses-ldap"/>
</SimpleAttributeDefinition>
. . .
<!-- 'Connector' for entitlements -->
<CustomDataConnector id="entitlement-calculator"
class="edu.washington.EntitlementCalculator">
<!-- must list all possible dependencies -->
<AttributeDependency
requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
<AttributeDependency
requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>
<AttributeDependency
requires="urn:mace:washington.edu:crs:sln"/>
<Entitlement xmlns="urn:washington.edu:dataconnector:1.0"
value="urn:mace:incommon:entitlement:common:1">
<Condition
attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
value="staff"/>
<Condition
attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
value="student"/>
<Condition
attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
value="faculty"/>
<Condition
attribute="urn:mace:dir:attribute-def:eduPersonPrincipalName"
value="usr_kiosk@washington.edu"/>
</Entitlement>
<Entitlement xmlns="urn:washington.edu:dataconnector:1.0"
value="urn:mace:washington.edu:crs:WIN2005:%urn:mace:washington.edu:crs:sln%">
<Condition
attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
value="student"/>
<Condition
</Entitlement>
</CustomDataConnector>
where
- the special id of "usr_kiosk" is generated by the auth_location module
when a user is in a participating library.
- the attribute urn:mace:washington.edu:crs:sln will be multi-valued, having one
entry for each course in which a student is registered. The entitlement value will
be similarly multi-valued.
[an error occurred while processing this directive]
Jim Fox
UW Technology
Identity and Access Management
University of Washington
fox@washington.edu
[an error occurred while processing this directive]
|
|
[an error occurred while processing this directive]
|