IDENTITY AND ACCESS MANAGEMENT
[an error occurred while processing this directive]

Entitlement generation at UW for Shib 1.3

Summary: Calculates the shibboleth entitlement attribute from other attributes.
Version: 1.0
Download: Java source: EntitlementCalculator.java

A Shibboleth entitlement is a multi-purpose, poorly defined, catch-all bucket of an attribute. As such it generally has to be calculated, rather than just looked up.

This 'data connector' for Shibboleth version 1.3 computes the entitlement attribute value from the values of other attributes. Other connectors supply those values. Arps select which entitlement values are released to specific service providers.

The entitlement calculator's configuration contains a list of dependencies, followed by one or more entitlement specifications. Each Entitlement element defines the entitlement value and the conditions necessary to release that value. The connector configuration looks like:

  <!-- 'Connector' for entitlements -->
  <CustomDataConnector id="entitlement-calculator"
         class="edu.washington.EntitlementCalculator">
     <!-- must list all possible dependencies -->
     <AttributeDependency
         requires="one of your previously specified attributes"/>
     <AttributeDependency
         requires="another of your previously specified attributes"/>
       .  .  .

     <Entitlement xmlns="urn:washington.edu:dataconnector:1.0"
                     value="entitlement value to send">
         <Condition
             attribute="one of your previously specified attributes"
             value="value required"/>
         <Condition
             attribute="another of your previously specified attributes"
             value="value required"/>
           .  .  .
     </Entitlement>

     .  .  .

  </CustomDataConnector>


  1. By default multiple conditions are OR'd, meaning any one match satisifies the conditions and the entitlement is generated. You can make the operation an AND with the Entitlement element attribute "op="AND"".

  2. An entitlement value may contain attribute substitutions. If a value string contains "%attr%" the value of the attribute will be substituted.

    • Multiple valued attributes will generate multiple entitlement values.
    • Any attributes used for substitution must be specified in the attribute dependency section.

  3. The calculator could be used to generate any attributes - not just entitlements.

  4. The namespace attribute for Entitlement can be any unique urn. You have to specify one because the Entitlement element is not in any schema definitions.

The connector returns a single source name, "entitlement", so it is referenced like this:

  <SimpleAttributeDefinition
          id="urn:mace:dir:attribute-def:eduPersonEntitlement"
          sourceName="entitlement">
      <DataConnectorDependency requires="entitlement-calculator"/>
  </SimpleAttributeDefinition>

This example shows how we might compute a couple of entitlements:

  1. the 'standard' entitlement "common:1" (UW person or walk-in) and
  2. an entitlement for WebAssign (includes course information).
  <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement"
         sourceName="entitlement">
      <DataConnectorDependency requires="entitlement-calculator"/>
  </SimpleAttributeDefinition>

  <SimpleAttributeDefinition id="urn:washington.edu:crs:sln"
         sourceName="sln">
      <DataConnectorDependency requires="courses-ldap"/>
  </SimpleAttributeDefinition>

  . . .

  <!-- 'Connector' for entitlements -->
  <CustomDataConnector id="entitlement-calculator"
         class="edu.washington.EntitlementCalculator">
     <!-- must list all possible dependencies -->
     <AttributeDependency
         requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
     <AttributeDependency
         requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>
     <AttributeDependency
         requires="urn:mace:washington.edu:crs:sln"/>

     
     <Entitlement xmlns="urn:washington.edu:dataconnector:1.0"
                     value="urn:mace:incommon:entitlement:common:1">
         <Condition
             attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
             value="staff"/>
         <Condition
             attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
             value="student"/>
         <Condition
             attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
             value="faculty"/>
         <Condition
             attribute="urn:mace:dir:attribute-def:eduPersonPrincipalName"
             value="usr_kiosk@washington.edu"/>
     </Entitlement>

     
     <Entitlement xmlns="urn:washington.edu:dataconnector:1.0"
       value="urn:mace:washington.edu:crs:WIN2005:%urn:mace:washington.edu:crs:sln%">
         <Condition
             attribute="urn:mace:dir:attribute-def:eduPersonAffiliation"
             value="student"/>
         <Condition
     </Entitlement>

  </CustomDataConnector>
where

  • the special id of "usr_kiosk" is generated by the auth_location module when a user is in a participating library.

  • the attribute urn:mace:washington.edu:crs:sln will be multi-valued, having one entry for each course in which a student is registered. The entitlement value will be similarly multi-valued.


[an error occurred while processing this directive]
Jim Fox
UW Technology
Identity and Access Management
University of Washington
fox@washington.edu
[an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]
Fox's Home

© 1983-2017, University of Washington