Subject Re: How to join the refeds wiki
From Thomas Lenggenhager <lenggenhager@xxxxxxxxx>
Date Thu, 12 Mar 2009 23:19:09 +0100

Ian Young wrote:
On 12 Mar 2009, at 19:30, Peter Schober wrote:
* Ian Young <ian@xxxxxxxxxx> [2009-03-12 20:27]:
On 12 Mar 2009, at 17:35, Licia Florio wrote:
I discussed about this with Thomas back in December
and he suggested using a group management tool.

I'm afraid that if you expect people to use group management tools
in order to access your wiki, it will see very little use.

No. Thomas suggested to Licia that she (at the SP) might use something
like the SWITCH GMT. Noone said "people" should use group management

Well, I have no objection to the use of group management tools at the SP, but I didn't (and don't) see how that responds to my concern about requiring entitlement values from the IdP. That's why I assumed Licia was talking about using group management tools at the IdP as a way to manage entitlement values released from there. My apologies if I have misunderstood how this applies to my question.

The group management tool only requires a unique identifier like ePPN and, therefore, no need at all for entitlements managed at the IdP.

Locally (to the SP) defined groups can then be used for authorization by the application protected by the SP. So read access could be available for everyone with proper AuthN, but write access would require to be member of locally defined group.
A second (smaller) group could be used for admin access.


Serving Swiss Universities
Thomas Lenggenhager
P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 1505  direct +41 44 268 1541