Shibboleth groups use cases

[Ben Companjen]

Hi all,

Now that DANS has a test installation with Shibboleth enabled, we would like to set up groups based on attributes that come in to Shibboleth and Dataverse.

Dataverse already supports having a group for all users coming from a specific Identity Provider (IdP), but DataverseNL is a-typical in that we have IdP-federation meaning all users have the same IdP. The IdP-based group therefore doesn't work for us. Issue 1515 is about specifying groups as "everyone whose attribute X matches the regular expression Y", but that may be too limited for us as well (I added a comment already).

But before I start suggesting a specific way of looking at groups, I was wondering if others have similar or (very) different ideas. Odum, maybe? [1]

I am thinking that a group may be defined by one or more attributes and at least one value for each attribute.

For example (as in my comment on the issue):

• affiliation: faculty && HomeOrg: universityX.nl
• HomeOrg: universityY.nl && eduPersonEntitlement: urn:x-surfnet:dataverse.nl:researcher

Maybe one could imagine a group consisting of users affiliated to both universityX and universityY, or a group having two specific values for eduPersonEntitlement.

Or is it more common to tell IdPs to make sure the users in a specific group have an attribute+value that is exclusive to that group?

Thanks for your input!

Ben

[1] At the "Auth breakout session" at the Dataverse Community Meeting in June both DANS and Odum said they would start testing Shibboleth in Dataverse 4.