AttributeMappingsTable
The following table shows the mappings of attributes into Sakai. The intent is to be able to trace which names are used where, because there are several levels of mapping involved.
Contents:
1. Attributes from Attribute Store
These are attributes which are retreived from an attribute store for a person as part of the login proceedure.
Name in OUCS LDAP |
X.521 (2001) |
RFC RFC 2798 |
Exported as |
Shibboleth |
Single? |
Identifying? |
|
oucsStatus |
|
|
|
|
|
S |
|
preferredMail |
|
|
|
|
|
S |
|
dn |
|
|
|
|
|
S |
|
cn |
|
|
|
|
Shib-Person-commonName |
M |
|
sn |
|
|
|
|
Shib-Person-surname |
S |
|
givenName |
|
|
|
|
|
S |
|
displayName |
|
|
|
|
|
S |
|
initials |
|
|
|
|
Shib-InetOrgPerson-initials |
S |
|
2. Dynamic Attributes
These are dynamic attributes which are generated in the process of logging in. They are not stored.
Attribute |
example |
Shib-Origin-Site |
urn:mace:inqueue:oucs.ox.ac.uk |
Shib-Identity-Provider |
urn:mace:inqueue:oucs.ox.ac.uk |
Shib-Authentication-Method |
urn:oasis:names:tc:SAML:1.0:am:unspecified |
Shib-Application-ID |
default |
cookie / _saml_idp |
encrypted |
cookie / _shibsession_encrypted |
encrypted |
cookie / _shibstate_encrypted |
encrypted |
These cookies are shared by all ports (both http and https) on a host, so the values are commonly encrypted. Use of the cookies at the application level should be unnecessary.
3. Groups
A significant number of possible portal activities and actions involving people would benefit from the ability to reason about groups rather than individuals. For example:
- "Allow all academic staff to access this resource."
- "Allow everyone to view aggregated course grades, all staff at the institution and all students on the course to view anonymised individual grades and staff assigned to the course and the student concerned to view non-anonymised individual grades."
- "Allow full access to this patient record by the patient or a clinician treating them, allow anonymised access by the medical teaching staff based in flag in the resource, allow aggregated access to qualified epidemiologists in recognised institutions."
- "Find citations of "A. Einstein" in papers published by research students in biology, bio-medicine, bio-chemistry, medicine, zoology or botany, across all universities."
There are two important distinctions here:
- people have roles student, academic, staff, research student
- there is an expectation that roles and groups slice across institutional boundaries, that the concept of a "research student in biology, bio-medicine, bio-chemistry, medicine, zoology or botany" is transportable between institutions.
(More thought needed)
4. References
-- StuartYeates 2006-06-19 14:01:13
