InCommon Library Services

At 10:06 AM -0400 4/3/09, Rich Wenger wrote:
>  wrote:
> > Could a custom dataconnector in the IdP retrieve this info from the 
> > ROLES DB, and then send it along as an attribute?
> >
> > I believe the IdP (perhaps only the version in subversion, and 
> > about to be released?) contains a SOAP client.
> It is an interesting policy question whether or not this sort of 
> provisioning belongs with the IdP.  I have my
> doubts, but am interested in hearing other views.  It blurs the 
> distinction between authentication and authorization,
> a distinction that many IT departments have established with 
> considerable effort.

I'd argue, tho, that in this specific case MIT is NOT REALLY 
authorizing access. Yes, you're blocking some users. And you're 
allowing others thru. But, I *suspect* there are ways around your in 
place systems...

Ultimately, the vendor has to decide whether or not to let the user 
in. In this case, the vendor may be configured to ONLY accept 
requests from the IP address of your EZP server (rather than any 
address on the MIT network). That's their access control policy. And 
if I can figure out a way around it, then I'm into their service....

You're helping them.... and doing a good job of it. But, ultimately, 
it still their problem and responsibility....