edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)

From: Ian Young <ian AT iay.org.uk>
To: Niels van Dijk <niels.vandijk AT surfnet.nl>
Cc: edugain-discuss AT geant.net
Subject: Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)
Date: Thu, 27 Mar 2014 10:28:58 +0000
List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
List-id: eduGAIN discussion list <edugain-discuss.geant.net>

On 27 Mar 2014, at 10:13, Niels van Dijk <niels.vandijk AT surfnet.nl> wrote:

> eduGAIN policy states:
> (http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc)
>
> "NOTE on <md:RequestedAttribute>: Whenever a Service Provider needs
> attributes it should list them as <md:RequestedAttribute> in the
> <md:AttributeConsumingService> of its <md:SPSSODescriptor> element to
> increase the chance that Identity Providers really release them."
>
> Based on the above I assume that I can connect to this SP not releasing
> any attributes.

I doubt that. It's more likely that the entity comes from a federation which
hasn't traditionally required this metadata to be provided by SPs. The UKf is
in that category, for example, but I think quite a few others are as well. We
do ask people opting SPs in to eduGAIN to provide this, but it is a bit of an
uphill struggle in some cases and it is optional.

> However, the note is a bit ambiguous:
> - It does not state "MUST list them"
> - It spells "should" and not "SHOULD" as defined per RFC2119

Right, this is optional metadata, both in the base SAML 2.0 Metadata
specification and in the eduGAIN profile. I suspect that we'd want to use the
normative SHOULD rather than the informal "should" in the next revision of
that document, but it doesn't change the meaning: you cannot rely on that
metadata being present, and if it is not present then you'll need to acquire
information about expected attributes for the SP through another channel, or
just release whatever you feel is the minimum bundle you can release to
anyone.

You might try asking the federation operator in question whether that
metadata can be added for the SP, if you have an implementation that makes
use of it.

> What is expected behaviour from the IdP?

There's no mandated behaviour in SAML as far as I remember; it's informative
only.

-- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Niels van Dijk, 27-Mar-2014
- Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Ian Young, 03/27/2014
  - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Niels van Dijk, 27-Mar-2014
    - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Ian Young, 27-Mar-2014
      - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Niels van Dijk, 27-Mar-2014
        
        Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Ian Young, 27-Mar-2014
        
        Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Niels van Dijk, 27-Mar-2014
  - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Leif Johansson, 27-Mar-2014
    - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Niels van Dijk, 27-Mar-2014
      - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Leif Johansson, 27-Mar-2014
- Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Brook Schofield, 27-Mar-2014
  - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Ian Young, 27-Mar-2014