asserting multiple scopes and scripting support in guanxi
Tue, Nov 4, 2008
We’re getting ready to apply shibboleth a little more deeply, where we need to group resources from a single supplier based on institutional affiliations. UHI as a whole subscribe to certain resources at a supplier, while partner colleges, such as Perth College, in addition to their UHI resources, subscribe to extra resources to which only Perth users should be granted access. This is an ideal use for eduPersonScopedAffiliation. Our IdP can assert scopes of “uhi.ac.uk” and “perth.uhi.ac.uk” if required.
The original scoping functionality of the IdP was delegated to the Attributors, which only supported single scoping, so I moved it to the mapping engine and all scopes are now defined declaratively in the mapping files:
The above mapping rules result in the IdP releasing the following:
While I was adding this functionality to the mapping engine, it occurred to me that I was duplicating a lot values, such as member, staff, student and eduPerson attribute names all over the place. So I just added simple scripting support. At the moment this just extends to variable interpolation, so you can do things such as:
where scope.uhi is defined in a new variables definition file or files:
Over time I’ll prolly grow this simple functionality into a Guanxi scripting engine to let you define mapping rules and behaviours with full programming functionality. Think I’ll call it GXScript!