An open discussion list for topics related to the eduGAIN interfederation service.

[Lukas Hämmerle <lukas.haemmerle AT switch.ch>]

On 19.02.14 15:32, Lukas Hämmerle wrote:
>> >     We would also include eduGAIN SPs metadata into our federation 
>> > metadata file (renater-metadata.xml).
> There might be a risk for SPs that are not properly authenticating
> federated users. Having an Apache rule like:
> 
> AuthType Shibboleth
> ShibRequestSetting requireSession true
> require valid-user
> 
> will also allow all eduGAIN users to access a service. This of course
> might be intended and in general shouldn't cause problems but it
> probably might be wise to announce this properly on your federation
> mailing list in advance with the hint how to change the authorisation
> rules to allow only FER users on a service (maybe using a SupAnn attribute).

I have to correct myself :-)
Including metadata of the eduGAIN SPs in the FER metadata of course
should not be an issue because these SPs already should be prepared to
accept eduGAIN users.

The scenario I described above is the case where the French SPs also
would be exposed to eduGAIN by adding their metadata to the eduGAIN
metadata.

Best Regards
Lukas

-- 
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT GN3plus Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle AT switch.ch, http://www.switch.ch