> now that the Shibboleth branch has stabilized, I'd suggest that we > merge it back into the 1.2.x branch (or rather merge the changes from > the 1.2.x branch into the Shibboleth branch and use this as the new > 1.2.x branch). > > The advantages of the Shibboleth branch are: > > * A TransientUser class which allows to authenticate and authorize > users which are not stored in the CMS. This is especially useful to > integrate Lenya in single sign-on environments. > We use the shibboleth-branch in a productive environment. This enables to grant access to a publication to other swiss University members, or better all User which are members of the so called AAI Federation (1). To authenticate and authorize users which are not stored in the CMS is really a big advantage and opens new possibilities for authentication and authorisation.
> * Attribute-based authorization. Groups can have rules to include > users based on their attributes. The attributes can be fetched from > LDAP, a Shibboleth IdP etc., based on the authenticator implementation. > Or you can even store your users and roles in a file. We use that approach for some special situations. > * A Shibboleth authenticator. For more information, see [1]. > > * A nice side effect is that the Identity object is now serializable, > i.e. you can restart the servlet engine without losing sessions. > That works but as far as I know only within the authoring area. > If you want more information: There is a Forrest-based documentation > in the SVN repository [2]. > > ---- > > I have done a dry-run, there are some conflicts but IMO they should be > easy to resolve (see below). > > The access control API has changed a little, but the migration should > be easy enough to justify keeping it in the 1.2.x branch. > > The only disadvantage of the Shibboleth branch that I'm aware of is a > decreased performance of some access control operations. This is > significant in the AccessControlSitetreeTransformer, especially in > large publications. Until a patch is available, a temorary workaround > is to disable the transformer. > We did disable this transformer until we have fixed the problem. Jann -- Jann Forrer Informatikdienste Universität Zürich Winterthurerstr. 190 CH-8057 Zürich oooO mail: [email protected] ( ) phone: +41 1 63 56772 \ ( fax: +41 1 63 54505 \_) http://www.id.uzh.ch --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
