Versions Compared

Old Version 8

changes.mady.by.user James Babb (wisc.edu)

Saved on

compared with

New Version 9

changes.mady.by.user James Babb (wisc.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In both examples, we want to deliver group membership for a particular identity only to specific Shibboleth SPs. This helps keep the isMemberOf list small for each person on each website and helps prevent an SP from seeing membership in a group that could potentially reveal sensitive information about the person. We do this by setting a Grouper attribute on each group listing what SPs by EntityID we want to release this group's membership to. The Grouper attribute is defined as a multi-valued string that can be applied to groups. As a result of this attribute application, some SPs may see no groups at all, while others may see many. It all depends on if the EntityID for that particular group is set as a value for the attribute on that group. As the attribute is multi-valued, multiple EntityIDs can be specified per group. At the moment, we do not have any groups that are default release to all SPs, but this could easily be implemented by changing the query to look for something like "DEFAULT" in addition to the SP EntityID as a value for the attribute. Any groups we would want to be default-release would get the value "DEFAULT" applied to them. 

If you would like to see a version of this in action, a working demo of this group delivery model was built in to the 2017 TechEx TIER Provisioning/Deprovisioning Canvas Demo.

At the time of writing, the attribute mechanism in Grouper is not overly user friendly or intuitive to use. We would not want our end users to have to go through the complicated process of setting an attribute on a group. Our front-end to Grouper called "Manifest" allows a group administrator to easily set what EntityIDs they want their group released to:

...

Generic Implementation (with Default Release)

<resolver:DataConnector<DataConnector id="udsDB3grouperDB" xsi:type="dc:RelationalDatabase" readOnlyConnection="false" queryTimeout="PT3S">
 <Dependency <resolver:Dependency ref="SubjectIDuid"/>
   <dc:BeanManagedConnection>TheGrouperDatabase<<BeanManagedConnection>MyDataSource</dc:BeanManagedConnection>
  <dc:QueryTemplate>< <QueryTemplate><![CDATA[
      #if (${SubjectIDuid.size()} > 0)
          SELECT DISTINCT GROUPERgrouper_MEMBERSHIPSmemberships_LWlw_Vv.GROUPgroup_NAME name
          FROM GROUPERgrouper.grouper_AVALaval_ASNasn_GROUPgroup_V v
          JOIN GROUPERgrouper.grouper_MEMBERSHIPSmemberships_LWlw_V v
          USING (GROUPgroup_IDid)
          WHERE SUBJECTsubject_IDid='$SubjectID$uid.get(0)'
              AND GROUPERgrouper_AVALaval_ASNasn_GROUPgroup_Vv.ATTRIBUTEattribute_DEFdef_NAMEname_NAMEname='controletc:attribute:attrShibEntityId:ShibEntityId'
              AND (VALUEvalue_STRINGstring = '$requestContext.getPeerEntityId()' OR VALUEvalue_STRINGstring='DEFAULT')
              AND GROUPERgrouper_AVALaval_ASNasn_GROUPgroup_Vv.ENABLEDenabled='T'
       ORDER BY group_name #elseASC;
     #else
       SELECT 1 FROM DUAL
      #end
  ]]></dc:QueryTemplate>
 </resolver:DataConnector>

 

UW Specific Implementation

...