Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)


Chronological Thread 
  • From: Leif Johansson <leifj AT sunet.se>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] SPs with no attribute requirements (or so it seems)
  • Date: Thu, 27 Mar 2014 11:53:51 +0100
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

On 2014-03-27 11:28, Ian Young wrote:
>
> On 27 Mar 2014, at 10:13, Niels van Dijk <niels.vandijk AT surfnet.nl> wrote:
>
>> eduGAIN policy states:
>> (http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc)
>>
>> "NOTE on <md:RequestedAttribute>: Whenever a Service Provider needs
>> attributes it should list them as <md:RequestedAttribute> in the
>> <md:AttributeConsumingService> of its <md:SPSSODescriptor> element to
>> increase the chance that Identity Providers really release them."
>>
>> Based on the above I assume that I can connect to this SP not releasing
>> any attributes.
>
> I doubt that. It's more likely that the entity comes from a federation
> which hasn't traditionally required this metadata to be provided by SPs.
> The UKf is in that category, for example, but I think quite a few others
> are as well. We do ask people opting SPs in to eduGAIN to provide this, but
> it is a bit of an uphill struggle in some cases and it is optional.
>

This is a broken mechanism btw.

I have lots of practical experience from interfederation from my work
with the NORDUnet adobe connect service and I bring this message from
the Twilight Zone of interfederation.... :

RequestedAttribute *does* *not* *work*, repeat DOES NOT WORK

Cheers Leif

>> However, the note is a bit ambiguous:
>> - It does not state "MUST list them"
>> - It spells "should" and not "SHOULD" as defined per RFC2119
>
> Right, this is optional metadata, both in the base SAML 2.0 Metadata
> specification and in the eduGAIN profile. I suspect that we'd want to use
> the normative SHOULD rather than the informal "should" in the next revision
> of that document, but it doesn't change the meaning: you cannot rely on
> that metadata being present, and if it is not present then you'll need to
> acquire information about expected attributes for the SP through another
> channel, or just release whatever you feel is the minimum bundle you can
> release to anyone.
>
> You might try asking the federation operator in question whether that
> metadata can be added for the SP, if you have an implementation that makes
> use of it.
>
>> What is expected behaviour from the IdP?
>
> There's no mandated behaviour in SAML as far as I remember; it's
> informative only.
>
> -- Ian
>
>
>







Archive powered by MHonArc 2.6.19.

Top of Page