...
If the user has multiple linked identities, and the home Identity Provider sent sends some entitlements about the user, ProxyIdP will forward these entitlements, as they are, to the service.
The specific format of these entitlements depends on their issuer.
...
ProxyIdP releases entitlements also based on group membership and groups assigned to the service in Perun IDM. For convenience, ProxyIdP will release an entitlement value for each group which that the user is a member of , if that group is assigned to a resource on the facility which that represents this service.
The generation of procedure for generating these entitlements follows is described in the official specification https://doi.org/10.5281/zenodo.6533400. The format of each value is:
...
<NAMESPACE>is a prefix which represents the instance of ProxyIdP<GROUP>is the short name of the virtual organization of the group[:<SUBGROUP>*]contains the full group name, if the user is a member of a group (URL encoded)[#<AUTHORITY>]is a suffix which represents representing the instance of Perun IDM
...
urn:geant:muni.cz:group:MU#idm.ics.muni.cz- a member of a VO called MUurn:geant:cesnet.cz:group:einfra:group1#perun.cesnet.cz- member of a group called group1 in a VO called einfra
...
| Note |
|---|
The downside of this approach is that the value of the entitlement changes when the group is renamed or moved in the hierarchy. This poses a risk of breaking access when using multipurpose groups. For a more stable solution, see resource capabilities below. |
Group entitlements are configured in the Perun IDM. Groups need to be assigned to a resource on the corresponding facility, and ProxyIdP will start to release releasing related group entitlements automatically (when requested or required by the service).
Resource capabilities
To prevent access control from breaking when groups are renamed or removemoved in the group hierarchy, we highly recommend using entitlements in the form of resource capabilities. This form of entitlement effectively represents a an M:N mapping of groups to entitlement values; multiple groups may be mapped to the same capability, and also one group may grant users multiple capabilities.
The generation of procedure for generating these entitlements follows is described in the official specification https://doi.org/10.5281/zenodo.2247446. The format of each value is:
...
<NAMESPACE>is a prefix which represents the instance of ProxyIdPres:<RESOURCE>[:<CHILD-RESOURCE>]...[:act:<ACTION>[,<ACTION>]...]is the resource capability value set in Perun IDM[#<AUTHORITY>]is a suffix which that represents the instance of Perun IDM
...
Each resource may grant multiple capabilities, multiple resource resources may grant the same resource capability.
...