GroupLookup -- The path way to dynamic group discovery in Shibboleth
GroupLookup is designed as a plugin to Shibboleth to allow Shibboleth system (
IdP) to be maximizing the Group information in the system. One usage of such
GroupLookup, at the moment, is to supply
ARP Repository with group information as part of
GroupARP concept.
Administrators are able to configure Shibboleth
ARP based on logical group information within which the users are belonged to. Consider Physics
department's admin who would like to create certain policies for all of Physics department's users.
GroupLookup instance is responsible to supply 2 types of information to
ArpRepository?:
- user's group membership information -- all the group membership belonging to the user's in question (logged in user). This is supported by <UserGroup> tag
- complete list of groups available in the system. This is supported by <GroupListing> tag
Multiple declaration of
GroupLookups are acceptable and they are queried one at a time to supply the neccesary information to the system. The result will be the collective result of individual
GroupLookup.
The following is the example of usage for
GroupLookup (to be used in replacing content of
ReleasePolicyEngine? in idp.xml).
<ReleasePolicyEngine>
<ArpRepository
implementation="au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository">
<Path>/usr/local/shibboleth-idp/etc/arps/</Path>
<GroupLookup implementation="au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup">
<ResolverConfig implementation="edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver">/usr/local/shibboleth-idp/etc/resolver.xml</ResolverConfig>
<UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup>
<GroupListing>urn:mace:federation.org.au:attributes:institutionalGroup</GroupListing>
</GroupLookup>
<GroupLookup implementation="...">
<...>
</GroupLookup>
<GroupLookup implementation="...">
<...>
</GroupLookup>
</ArpRepository>
</ReleasePolicyEngine>
There are a number of implementations currently available and the list will grow as the needs required:
- AttributeResolverGroupLookup?
- This GroupLookup will instantiate an instance of AttributeResolver? such that user can specify which attribute in Attribute Resolver to be used to supply UserGroup? and GroupListing?
- example:
<GroupLookup implementation="au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup">
<!-- usage of MAMSAttributeResolver is optional, when not used the default AttributeResolver will be instantiated instead -->
<ResolverConfig implementation="edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver">/usr/local/shibboleth-idp/etc/resolver.xml</ResolverConfig>
<UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup>
</GroupLookup>
- The above specifies to use a specific MAMSAttributeResolver? to query the resolver configuration and UserGroup? should refers to eduPersonAffiliation attribute in the resolver.
- PropertyFileAttributeResolver?
- This GroupLookup will check the content of properties file and fetch the necessary info to supply UserGroup? and GroupListing?
- example:
<GroupLookup implementation="au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup" separator="%PRINCIPAL%.">
<PropertyFile>/usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile>
<GroupListing>institutionalGroupList</GroupListing>
<GroupListing>groupList</GroupListing>
<UserGroup>memberOf</UserGroup>
</GroupLookup>
- example of sample.grouplookup.properties content:
#this defines institutional-wide groups
institutionalGroupList=HeadOfOffice, HeadOfSchool, Academia, Casual
#an example of local groups
groupList=Librarian, Researcher, Walkins
#user based attributes specifying the groups with separator="%PRINCIPAL%."
ann.memberOf=Researcher
bliong.memberOf=Staff
erik.memberOf=HeadOfSchool, Staff
Resources
- Discuss GroupLookup in the mailing list
- Other GroupLookup options available
to top