An open discussion list for topics related to the eduGAIN interfederation service.

[Lukas Hämmerle <lukas.haemmerle AT switch.ch>]

On 04.11.14 14:55, Tom Scavo wrote:
> I suspect that some of those same IdPs support Research & Scholarship
> as well.

Yes, our IdPs by default support both. And so far none has opted-out :-)


> How does an IdP implement such a complex attribute release
> policy? 

They don't have to. See below.


> Moreover, how does the Shibboleth IdP software choose between
> two competing policies?

In our case, it doesn't have to. We generate the (per IdP
custom-tailored) attribute release filter files for all our Shib-based
IdPs. These files are downloaded by the IdPs hourly and they contain
simple rules of the form:

<AttributeFilterPolicy id="afp_for:https://wiki.edugain.org/shibboleth";>
  <PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://wiki.edugain.org/shibboleth"; />
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

(yes, we might run into scalibilty issues sometime with individual rules
per SP but most probably metadata scalability will hit all of us first)


The magic happens when this file is generated by the Resource Registry.

The process that decides if an attribute is released is shown in this
diagram:
https://rr.aai.switch.ch/images//AttributeReleaseProcess.png


Basically, the Resource Registry generates the attribute release rules
per SP. An attribute is released for an SP in general only if:
* it is requested by an SP
* it is supported/implemented by the IdP

If the above conditions are met, the more complex rules apply. An
attribute then is released according to these policies:

* SP-specific Policies:
  If any SP-specific rules (set by IdP admins) exist on the Resource
Registry for that IdP-SP combination and a particular attribute, that
rule is used.

* Entity Category Policies:
  If SP supports an entity category and if IdP supports this category
  (which is the default), use the release policy for that category
  If an SP supports R&S and CoCo, the attribute is released if it
  would be release either due to the R&S or due to the CoCo
  release policy.

* Default IdP Attribute Release Rules:
  Otherwise use the IdP default rules, which defines for each
  supported attributes where it is released to by default
  (nowhere, only SPs of same organisation, federation or
  interfederation). Also see:
  https://rr.aai.switch.ch/images//AttributeRelease.png


Some info on our attribute release processes can also be found on slides
7-9 of:
https://www.switch.ch/aai/support/presentations/techupdate-2014/03_RR_Updates.pdf


Best Regards
Lukas

-- 
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle AT switch.ch, http://www.switch.ch