Subject Re: How to join the refeds wiki
From Thomas Lenggenhager <lenggenhager@xxxxxxxxx>
Date Fri, 13 Mar 2009 08:20:14 +0100

Robin Wilton wrote:
But unless I'm misunderstanding the problem statement - all this does is
leave the SP with the problem of how to decide whether a given user
(registered at an IDP elsewhere) belongs to a particular local group or
not. The entitlements which justify including that user in the local
group may well be owned and managed by an entity other than the SP.

Yes, with the GMT the SP admin manages the local group - he can decide whom to authorize. With the latest version of GMT it is possible to influence that decision based on an attribute sent by the IdP if desired by the SP admin and an appropriate attribute is available.


Serving Swiss Universities
Thomas Lenggenhager
P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 1505  direct +41 44 268 1541