View Source

2007-02-09

Attendees: Carter MaCready Snowden, Bob Basch, Sanjay Bissessur, Paul Hill

Topic, expansion of the core team:

Libraries - who? (sent message to MacKenzie 2/9/07)

CSS/DCAD - (sent message to Sean Brown 2/9/07)

ISDA/Stellar - Craig Counterman (sent 2/9/07), Craig has agreed to join

Sloan - ask Craig who to invite (sent 2/9/07)

CSS - ask Don M. who from the support site should be involved (sent 2/9/07)

SAIS - Steve Landry or Mike Moretti or Olu Brown? (Sent to Steve and Olu 2/9/07)

OIS - Mark and Jeff (have asked before, and gotten agreement)

LDAP issues:

Which eduperson attributes should be populated. Talk to Mark about this. (sent mail to Mark 2/9/07)

Answered 2/10 Mark has populated:

eduPersonAffiliation

eduPersonPrincipalName

eduPersonScopedAffiliation

eduPersonNickname

edPersonPrimaryAffliliation

These are now readable via an anonymous bind.

Do we think that the access to groups will be open to anonymous binds in the future? Or do we need to get GSSAPI bind working? (sent mail to Mark 2/9/07) (No discussion yet.)

What about *reg* groups? They are not in there today. We don't need them for Shib but are there other projects that desire them for authZ? We definitely don't want these to be open to anonymous access. Ask Craig first if there are any systems that actually use these?

Other issues:

Questions to Stanford webauth group about idp integration are still unanswered.
- AI: Paul - forward questions to Scotty and Bruce at Stanford. (sent 2/9/07)
Is there a whitepaper that talks about the relationship of Grouper to Shibboleth?
- See

RISK Identified:

Will the number of redirects caused by using Stanford WebAuth as the authentication service have an unacceptable impact on the user experience? If it does, we could replace WebAuth with various Apache modules and write our own UI that would invoke these. Of course that means that we could not investigate the use of other [ZEST:not to be spoken of] at a later date.

Shibboleth attribute release:

Bob noticed that some of the Shibboleth information talks about a UI to let the user control what attributes get released but he hasn't seen the code or utility to do this.

AI: Paul will dig through his archive and find pointers.

UI's for managing attribute release are covered in the Shibboleth wiki, Shibboleth ThirdPartyExtension, section.

https://spaces.internet2.edu/display/SHIB/ThirdPartyExtensions

http://www.federation.org.au/twiki/bin/view/Federation/IdPManagementSuite

Sharpe is for IdP admins

Autograph is for end users

https://spaces.internet2.edu/display/SHIB/SPAttributeConfi - no info about the UI but talks about some of the underlying technology

An alternate UI was also developed at USC:

http://sourceforge.net/projects/shib-autograph

On Apr 19, 2006, at 6:57 PM, Brendan Bellina wrote:
USC has completed development and testing of a patch for Shibboleth 1.3 that allows ARP's to be constrained by user attributes. The intent is to allow Identity Providers to constrain the unneeded or undesired release of attributes to service providers. A white paper describing what we have named "Rule Constraints" and the patch code is available at the website <http://isd.usc.edu/~bbellina/gds/software/shibboleth/>. Will Norris, who authored the patch, will be attending the Shib WG session at the upcoming I2 Member Meeting and will be available to answer any questions. We hope that this will prove to be a useful offering to the Shibboleth community and welcome any feedback.
Regards,
Brendan Bellina

Pasted from <https://mail.internet2.edu/wws/arc/shibboleth-dev/2006-05/msg00025.html>

Do we need Solaris and MacOS builds of Shibboleth? Scot Cantor recently wrote to the list indicating that the Solaris code may be a bit out of date and he does not have access to Solaris 10.

AI: Ask Matt to get new web server demographics and ask that the information include the host operating system (Solaris, Linux, MacOS, XP, Server 2003, ...)

How does OpenID fit into our strategy?

AI: Paul will write a short summary.