Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] [refeds] mari plan & next steps

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] [refeds] mari plan & next steps


Chronological Thread 
  • From: Jaime Pérez Crespo <jaime.perez AT uninett.no>
  • To: REFEDS <refeds AT terena.org>
  • Cc: "edugain-discuss AT geant.net" <edugain-discuss AT geant.net>
  • Subject: Re: [eduGAIN-discuss] [refeds] mari plan & next steps
  • Date: Wed, 29 Oct 2014 16:33:35 +0100
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

Hi,

> On 29 Oct 2014, at 16:06 pm, Peter Schober <peter.schober AT univie.ac.at>
> wrote:
> * Leif Johansson <leifj AT sunet.se> [2014-10-29 15:48]:
>> Experience from SPs that have begun to suck at the fire hose of
>> interfederation seems to be that as the number of federations grow, the
>> list of RequestedAttribute elements grow to the union of what is needed
>> to fulfil the recommendations and practice of all federations.
>>
>> At best this violates the minimality principle and at worst causes
>> breakage since the RequestedAttribute practice of one federation is
>> often incompatible with that of the next federation. Experience shows
>> that breakage occurs after only a small number of connected
>> federations (I have example breakage at <3 federations).
>
> I'd be interested in more (any, really) concrete examples of that kind
> of breakage, to substantiate the claim of the massive scope of that
> problem. (I'm probaby just lacking that experience, and imagination.)

I can only support Leif on this. This is a problem that has bitten us in
Feide a couple of times already. Specific example: an SP connected through
WAYF to Kalmar2 wants to connect to Feide, and they ask for some attribute we
don’t provide (or is not really extended among our institutions). We offer
them using eduPersonPrincipalName for that, as that’s mandatory in Feide and
will provide equivalent semantics for them. Unfortunately, WAYF’s policy
refuses to allow them to ask for that attribute because they consider it
sensitive.

So we both use the same attribute with same semantics, but for them it is
sensitive while we use it for everything. Probably their policy is right and
ours is wrong, but it’s not going to change in the near future (and I doubt
it will ever change, given the amount of work it will mean), so the result is
that norwegian users cannot use that service unless the service pays the fee
to join Feide directly (and that leads to… well, you see where this is going).

>> The reason the problem occurs is that federations don't agree on the
>> semantic and use of attributes. Furthermore it seems unlikely that
>> we'll be able to align attribute semantics globally.
>
> Personally I'd very much prefer to tackle harmonization and alignment
> (possibly at the same time, given concrete problems to chew on) as
> doing that would also solve the problem for the SP, which in the
> proposal still is stuck having to deal with all the incompatible crap
> that seems to be floating around, as you acknoledge:

Unfortunately harmonization is not always feasible, I think. It’s not only
about using different semantics for an attribute, but also about giving them
different considerations and even security or privacy features. Not everybody
is going to agree on the same things, and even if we do, local laws may
forbid certain uses.

--
Jaime Pérez
UNINETT / Feide
mail: jaime.perez AT uninett.no
xmpp: jaime AT jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and
that has made all the difference."
- Robert Frost






Archive powered by MHonArc 2.6.19.

Top of Page