[Shib-Dev] 24/3 Dev Meeting, Request for Topics

1 view
Skip to first unread message

Chad La Joie

unread,
Mar 14, 2011, 5:46:52 PM3/14/11
to shibbol...@internet2.edu
The next dev meeting will be March 24th. If you have agenda topics
please suggest them before this Thursday (March 18th).

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Cantor, Scott E.

unread,
Mar 14, 2011, 8:26:00 PM3/14/11
to shibbol...@internet2.edu
> The next dev meeting will be March 24th. If you have agenda topics
> please suggest them before this Thursday (March 18th).

If I'm able to duck out for the call, I'd like to discuss the MDX/Query metadata plugin that's planned for 2.3 and some feature questions/limitations on it. I may have a chance to put a first draft together sooner than that anyway, in which case I'll probably circulate questions to the list.

-- Scott

Tom Zeller

unread,
Mar 17, 2011, 10:20:40 AM3/17/11
to shibbol...@internet2.edu
> The next dev meeting will be March 24th.  If you have agenda topics
> please suggest them before this Thursday (March 18th).

It is probably good that I missed the Thursday the 18th cutoff :-)

I am interested in an ldap interface to the attribute resolver. While
probably no one in their right mind would position the IdP as a
directory, an ldap interface might allow an IdP to act as a backend to
a real directory, such as openldap or apache ds v2. A read-only ldap
interface (search) might be possible and I think similar to SAML
attribute requests ?

I am also interested in an external authorization manager, something
like a XACML PDP, as an attribute filterer.

Perhaps pipe dreams.

Cantor, Scott E.

unread,
Mar 17, 2011, 11:48:24 AM3/17/11
to shibbol...@internet2.edu
On 3/17/11 10:20 AM, "Tom Zeller" <tze...@memphis.edu> wrote:
>I am interested in an ldap interface to the attribute resolver. While
>probably no one in their right mind would position the IdP as a
>directory, an ldap interface might allow an IdP to act as a backend to
>a real directory, such as openldap or apache ds v2. A read-only ldap
>interface (search) might be possible and I think similar to SAML
>attribute requests ?

Actually, the likely overlap between an LDAP interface and the features in
SAML are things we don't support much, if at all, like filtering
attributes or values from the request side.

And of course LDAP lets you "search", whereas the IdP really can only
lookup via a key that is resolved from a SAML Subject.

>I am also interested in an external authorization manager, something
>like a XACML PDP, as an attribute filterer.

Given the challenges we've had trying to figure out how XACML could work
as a filtering policy language, and more recently as a possibly way to
handle metadata-based consent (we talked about that in Edinburgh at the
dev F2F), it would be interesting work to have somebody explore it.

-- Scott

Jim Fox

unread,
Mar 17, 2011, 11:58:32 AM3/17/11
to shibbol...@internet2.edu

On Thu, 17 Mar 2011, Tom Zeller wrote:

> Date: Thu, 17 Mar 2011 07:20:40 -0700
> From: Tom Zeller <tze...@memphis.edu>
> To: shibbol...@internet2.edu
> Reply-To: shibbol...@internet2.edu
> Subject: Re: [Shib-Dev] 24/3 Dev Meeting, Request for Topics

Your pipe has better stuff than my pipe.

Jim

Tom Zeller

unread,
Mar 17, 2011, 6:02:09 PM3/17/11
to shibbol...@internet2.edu
> Actually, the likely overlap between an LDAP interface and the features in
> SAML are things we don't support much, if at all, like filtering
> attributes or values from the request side.
>
> And of course LDAP lets you "search", whereas the IdP really can only
> lookup via a key that is resolved from a SAML Subject.

Good point. I need to understand better how OpenLDAP and ApacheDS
support custom backends.

Reply all
Reply to author
Forward
0 new messages