edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?
Chronological Thread
- From: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
- To: edugain-discuss AT geant.net
- Subject: Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?
- Date: Tue, 04 Nov 2014 15:32:56 +0100
- List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
- List-id: eduGAIN discussion list <edugain-discuss.geant.net>
- Organization: SWITCH
On 04.11.14 14:55, Tom Scavo wrote:
> I suspect that some of those same IdPs support Research & Scholarship
> as well.
Yes, our IdPs by default support both. And so far none has opted-out :-)
> How does an IdP implement such a complex attribute release
> policy?
They don't have to. See below.
> Moreover, how does the Shibboleth IdP software choose between
> two competing policies?
In our case, it doesn't have to. We generate the (per IdP
custom-tailored) attribute release filter files for all our Shib-based
IdPs. These files are downloaded by the IdPs hourly and they contain
simple rules of the form:
<AttributeFilterPolicy id="afp_for:https://wiki.edugain.org/shibboleth">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://wiki.edugain.org/shibboleth" />
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
(yes, we might run into scalibilty issues sometime with individual rules
per SP but most probably metadata scalability will hit all of us first)
The magic happens when this file is generated by the Resource Registry.
The process that decides if an attribute is released is shown in this
diagram:
https://rr.aai.switch.ch/images//AttributeReleaseProcess.png
Basically, the Resource Registry generates the attribute release rules
per SP. An attribute is released for an SP in general only if:
* it is requested by an SP
* it is supported/implemented by the IdP
If the above conditions are met, the more complex rules apply. An
attribute then is released according to these policies:
* SP-specific Policies:
If any SP-specific rules (set by IdP admins) exist on the Resource
Registry for that IdP-SP combination and a particular attribute, that
rule is used.
* Entity Category Policies:
If SP supports an entity category and if IdP supports this category
(which is the default), use the release policy for that category
If an SP supports R&S and CoCo, the attribute is released if it
would be release either due to the R&S or due to the CoCo
release policy.
* Default IdP Attribute Release Rules:
Otherwise use the IdP default rules, which defines for each
supported attributes where it is released to by default
(nowhere, only SPs of same organisation, federation or
interfederation). Also see:
https://rr.aai.switch.ch/images//AttributeRelease.png
Some info on our attribute release processes can also be found on slides
7-9 of:
https://www.switch.ch/aai/support/presentations/techupdate-2014/03_RR_Updates.pdf
Best Regards
Lukas
--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle AT switch.ch, http://www.switch.ch
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Mikael Linden, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Peter Schober, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Lukas Hämmerle, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Tom Scavo, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Lukas Hämmerle, 11/04/2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Tom Scavo, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Lukas Hämmerle, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Peter Schober, 07-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Lukas Hämmerle, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Tom Scavo, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Peter Schober, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Peter Schober, 07-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Lukas Hämmerle, 11/04/2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Tom Scavo, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Lukas Hämmerle, 04-Nov-2014
- Re: [eduGAIN-discuss] Entity category support attribute for Data Protection CoCo?, Peter Schober, 04-Nov-2014
Archive powered by MHonArc 2.6.19.