OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Returning user roles in the Assertion

On 3/13/14, 11:31 AM, "Vasu Y" <vyal2k@yahoo.com> wrote:
>
>I would like to know:
>1) What is the best practice for sending user roles from IDP to SP.
>2) What are some of the widely used approaches (if not best practice) for
>sending user roles from IDP to SP.

There aren't widely used standard attributes for it, even in very mature
sectors like higher ed. We tend to put them in the eduPersonEntitlement
attribute from the eduPerson schema, in the memberOf attribute that's used
for LDAP groups, or custom attributes.

There are substantial best practices around attribute use and naming, that
are routinely ignored by commercial interests. [1]

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/AttributeNaming

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]