edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)

From: Alex Stuart <alex.stuart AT ed.ac.uk>
To: Niels van Dijk <niels.vandijk AT surfnet.nl>, edugain-discuss AT geant.net
Subject: Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)
Date: Thu, 27 Mar 2014 10:48:10 +0000
List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
List-id: eduGAIN discussion list <edugain-discuss.geant.net>

Hi Niels,

The UK federation wants it to be as easy as possible for entities to opt-in to eduGAIN, and so we only require administrative authorisation to export an entity, and then we export the entity as we have it registered. We recommend that entities should (lower case :-) implement good practices in entity metadata, which Ian points out can be an uphill struggle.

There are few SPs in the UK federation with the RequestedAttribute element. Our "Technical Recommendations for Participants" states that: Authorisation without attributes is not recommended for general use within the federation. And we list the required attributes on our website "Available Services" page.

Another thing that we have noted on the UK federation helpdesk is that sometimes a RequestAttribute element has isRequired="true" for both SAML1 and SAML2 versions of a particular attribute, and we'd expect one or other format but not both being required. We check this by hand because, as far as I know, we don't have automatic checks in the the UK federation for that kind of thing.

Regards,
Alex

On 27/03/2014 10:13, Niels van Dijk wrote:

Hi all,

I am wondering what to do with an eduGAIN SP that has no attribute
requirements in the metadata.

eduGAIN policy states:
(http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc)

"NOTE on <md:RequestedAttribute>: Whenever a Service Provider needs
attributes it should list them as <md:RequestedAttribute> in the
<md:AttributeConsumingService> of its <md:SPSSODescriptor> element to
increase the chance that Identity Providers really release them."

Based on the above I assume that I can connect to this SP not releasing
any attributes. However, the note is a bit ambiguous:
- It does not state "MUST list them"
- It spells "should" and not "SHOULD" as defined per RFC2119

What is expected behaviour from the IdP?

thanks!
Niels

--
Alex Stuart
Team Leader - Federated Access Management
EDINA, University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), (continued)
- Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Brook Schofield, 27-Mar-2014
  - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Ian Young, 27-Mar-2014
    - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Niels van Dijk, 27-Mar-2014
      - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Ian Young, 27-Mar-2014
- Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems), Alex Stuart, 03/27/2014