Menu
▾
▴
Re: [Unity-idm-discuss] Naming of groups created via upman
|
From: Sander A. <sa....@fz...> - 2020-08-04 13:01:56
|
Hi Krzysztof, On Tue, 2020-08-04 at 09:56 +0200, Krzysztof Benedyczak wrote: > Morning Sander, > > W dniu 03.08.2020 o 08:39, Sander Apweiler pisze: > > Good morning Krzysztof, > > I agree that identifiers are needed. But is there a possibility to > > grab > > the displayname of a group, e.g. in output translation profile? In > > this > > case we could release the group membership information like the > > group > > administrators and service providers would expect them. > > > > I'll give you an example. We have a group m-team which is managed > > by a > > group administrator. He created a subgroup feudal-developers and > > asked > > specific service providers to support his group /m-team/feudal- > > developers but the service provider only see /m-team/NNE09. > > > > Having the possibility to access the displayname, we could create a > > new > > attribute containing the expected information. > > Hmm I wonder whether this is the right path. Shouldn't this be > opposite? I would agree in a very closed SP audience, only. If you have a broader audience which are part of multiple federations, this may become problematically. You would need to have a unique identifier across several IdPs, which can not be guaranteed. And in this case you do not need to carry about the uniqueness of the information anymore. Another problem are stupid SPs which consume the information directly and displays it to the users. One example is Nextcloud which is able to consume the groups from IdP (unity in this case). But Nextcloud will create the groups with the names released by the IdP and if the user want to share information with the group, they need to know the identifier. The next scenario is that a research community might have their groups on several environments and want to have the same name on every services. Here does the identifier also not work. Sadly such small things might make the decision if the service is used or not. To make it short there are scenarios where the opposite flow does not work. > I.e. on output profile/protocol etc I would rather send 'NNE09' as > the > identifier and configure all policies around this - this is stable > identifier. If you program around displayed name then... who knows > what > needs to be updated after some upman admin "improves" the displayed > name? Changing the display name would be the the short was for creating a new group with the same members and removing the old group. Which would lead of course to changed access permissions on the SP, which use the group based access. Having no access to the resources are also possible in this case. > > I agree that giving access to displayed name (also in output > profile) > makes sense in general, to add some human readable context (useful > e.g. > for debuggin, initial config) but the base thing for me is the > stable > identifier. > > What do you think? I agree that having a unique identifier is necessary for unity. But there are different scenarios where the displayname need to be released to the service providers instead of the identifier. Cheers, Sander > > KB > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
