Subject Re: use of eduPersonEntitlement
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Wed, 15 May 2013 15:52:02 +0100

On 15/05/2013 15:40, Keith Hazelton wrote:
Very much ON topic in my view. This bears on how ePEntitlement can be
used in various real situations. I'll be quite interested to hear
from others about the question of filtering ePE values by SP.

In our federated OpenStack implementation (SP) we have an attribute issuing policy, in which the SP filters out the trusted attributes from the untrusted ones that an IdP is allowed to issue. All untrusted ones are thrown away. We then have a second attribute mapping policy which maps the IdP issued attributes into the OpenStack understood ones (roles, tenants/projects and domains) that are used for access control. So regardless of what the IdP throws at the SP, there are strict policies for what is trusted/allowed, and what privileges you can get from them