Skip to Content.

edugain-discuss - Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive


Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?


Chronological Thread 
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?
  • Date: Tue, 24 Jun 2014 12:06:39 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT univie.ac.at
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>
  • Organization: ACOnet

* Niels van Dijk <niels.vandijk AT surfnet.nl> [2014-06-24 11:34]:
> Sound like a very good additional usecase to me.

OK!

> Well that was basically my point: The current way Mikeal described it,
> the COC IdP is not requirering automatic attribute release, while I
> would indeed argue that is the whole idea. I would think therefor that
> the CoC on IdP site shoudl suggest automagical attribute release.

I may have read that into Mikael's question/proposal but you're right
that needs to be part of the defintion, following the R&S example.

> Well, it is just me wondering if we should invest effort in the IdP CoC
> or work on other stuff. As I said earlier, it may be low hanging fruit.
> And in that case we should do it ofcause.

I don't think amending the current CoCo SAML profile will take away
anythin from other efforts. If someone is currently working on LoA (or
other important things) they should just continue to do so and not pay
attention to this thread. :)

> But I think we are by no means done with the CoC SP work. We now have
> the means to actually do the CoC, which is a great achievement. Now we
> (a.k. federations) need to educate IdPs and SPs. That is the really hard
> part. Especially as for us (thinking about) interfederation may be a day
> to day thing, but for our institutions it is a rather distant thing for
> them. I notice that e.g. we are following up a lot of stuff rather
> rapidly e.g. first CoC, then R&S and it takes time for SPs and IdPs to
> grasp what it is and why it could be useful. Especially if you are a
> newcomer to (inter)federation, ignorance is bliss. So all this extra
> stuff may seem like overkill (to them, not to me!).

I agree with almost everything here (lots of work for everyone
ahead!), except maybe for the last part: ECs actually make
interfederation /participation/ as well as federation /participation/
easier in the medium term (maybe even short term).

If you look at our IDP interfederation docs
https://wiki.univie.ac.at/display/federation/Preparing+an+IDP+for+Interfederation
actually only the "Attribute Release" part suggests any change for
IDPs (and that documentation may not be specific to interfederation
participants at some point). And while my current documentation for
ECs/attribute release is not as short and sweet as I'd like it to be
https://wiki.univie.ac.at/display/federation/Service+Categories
it actually gives you just 2 rules copy&pasting of which will make
your IDP "work" with a lot of SPs, out of the box (and more, as we get
more SPs into those categories). A couple of sysadmins running their
IDP with manual rules before were amazed.

Of course the whole "get CIO approval" thing is a drag, but this is
where such decisions belong and it frees the technical workers of any
responsibility they de facto might today. And copy/pasting a handful
of rules into your config and being set for potentielly hundreds of
services is pretty much magic, compared to the old ways, where
sysadmins manually enabled SPs when they approved of them personally
or found the time (i.e., never), not keepin up to date with what a
service needed, etc.

So some of "all this extra stuff" actually makes participating in
(inter-)federation quite a bit easier.
-peter





Archive powered by MHonArc 2.6.19.

Top of Page