An open discussion list for topics related to the eduGAIN interfederation service.

[Jaime Pérez Crespo <jaime.perez AT uninett.no>]

Hi,

> On 29 Oct 2014, at 16:06 pm, Peter Schober <peter.schober AT univie.ac.at> 
> wrote:
> * Leif Johansson <leifj AT sunet.se> [2014-10-29 15:48]:
>> Experience from SPs that have begun to suck at the fire hose of
>> interfederation seems to be that as the number of federations grow, the
>> list of RequestedAttribute elements grow to the union of what is needed
>> to fulfil the recommendations and practice of all federations.
>> 
>> At best this violates the minimality principle and at worst causes
>> breakage since the RequestedAttribute practice of one federation is
>> often incompatible with that of the next federation. Experience shows
>> that breakage occurs after only a small number of connected
>> federations (I have example breakage at <3 federations).
> 
> I'd be interested in more (any, really) concrete examples of that kind
> of breakage, to substantiate the claim of the massive scope of that
> problem.  (I'm probaby just lacking that experience, and imagination.)

I can only support Leif on this. This is a problem that has bitten us in 
Feide a couple of times already. Specific example: an SP connected through 
WAYF to Kalmar2 wants to connect to Feide, and they ask for some attribute we 
don’t provide (or is not really extended among our institutions). We offer 
them using eduPersonPrincipalName for that, as that’s mandatory in Feide and 
will provide equivalent semantics for them. Unfortunately, WAYF’s policy 
refuses to allow them to ask for that attribute because they consider it 
sensitive.

So we both use the same attribute with same semantics, but for them it is 
sensitive while we use it for everything. Probably their policy is right and 
ours is wrong, but it’s not going to change in the near future (and I doubt 
it will ever change, given the amount of work it will mean), so the result is 
that norwegian users cannot use that service unless the service pays the fee 
to join Feide directly (and that leads to… well, you see where this is going).

>> The reason the problem occurs is that federations don't agree on the
>> semantic and use of attributes. Furthermore it seems unlikely that
>> we'll be able to align attribute semantics globally.
> 
> Personally I'd very much prefer to tackle harmonization and alignment
> (possibly at the same time, given concrete problems to chew on) as
> doing that would also solve the problem for the SP, which in the
> proposal still is stuck having to deal with all the incompatible crap
> that seems to be floating around, as you acknoledge:

Unfortunately harmonization is not always feasible, I think. It’s not only 
about using different semantics for an attribute, but also about giving them 
different considerations and even security or privacy features. Not everybody 
is going to agree on the same things, and even if we do, local laws may 
forbid certain uses.

--
Jaime Pérez
UNINETT / Feide
mail: jaime.perez AT uninett.no
xmpp: jaime AT jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and 
that has made all the difference."
- Robert Frost