Confirm we have the right LDAP permissions enabled

[cbeer]

I was expecting to see eduPersonEntitlement available on -uat (see #335), but no such luck. I wonder if something got lost in translation from webauth/ldap to shibboleth attributes?

[tallenaz]

See https://github.com/sul-dlss/operations-tasks/issues/1930 for the source of the HELPSU request
and also some docs around eduPersonEntitlement: https://uit.stanford.edu/service/saml/arp

[tallenaz]

From some discussion with the rest of ops: for eduPersonEntitlement it depends on whether we're using an LDAP query for that attribute, or looking to the SAML headers. If the former, we'll have to issue another UIT request. If the latter, the attribute should be already released.

[tallenaz]

We can get access to eduPersonEntitlement, via shib headers, but only relative to particular workgroup stems or sub-stems, and we don't want to restrict ourselves that way here.

Since we want broader access, we might be able to do LDAP lookups with a keytab in the app. If we went that way, we'd have to write code to do that, and get a ticket in to UIT to request the keytab.

[cbeer]

The things we need from eduPersonEntitlement are the same things we're already getting with stacks, requests, or many of our other apps. I'm not sure why we can't get them out of the header the same way?

[camillevilla]

Note from post-planning meeting:

Sponsored SUNet accounts get a “Unable to authenticate” message, but we should use LDAP priv group to (1) figure out who they are (2) give them a clearer message