Hi all,
Now that DANS has a test installation with Shibboleth enabled, we would like to set up groups based on attributes that come in to Shibboleth and Dataverse.
Dataverse already supports having a group for all users coming from a specific Identity Provider (IdP), but DataverseNL is a-typical in that we have IdP-federation meaning all users have the same IdP. The IdP-based group therefore doesn't work for us.
Issue 1515 is about specifying groups as "everyone whose attribute X matches the regular expression Y", but that may be too limited for us as well (
I
added a comment already).
But before I start suggesting a specific way of looking at groups, I was wondering if others have similar or (very) different ideas. Odum, maybe? [1]
I am thinking that a group may be defined by one or more attributes and at least one value for each attribute.
For example (as in my comment on the issue):
affiliation: faculty && HomeOrg: universityX.nl
HomeOrg: universityY.nl && eduPersonEntitlement: urn:x-surfnet:dataverse.nl:researcher
Maybe one could imagine a group consisting of users affiliated to both universityX and universityY, or a group having two specific values for eduPersonEntitlement.
Or is it more common to tell IdPs to make sure the users in a specific group have an attribute+value that is exclusive to that group?
Thanks for your input!
Ben