An open discussion list for topics related to the eduGAIN interfederation service.

[Lukas Hämmerle <lukas.haemmerle AT switch.ch>]

On 04.11.14 15:51, Tom Scavo wrote:
>> * Entity Category Policies:
>>   If SP supports an entity category and if IdP supports this category
>>   (which is the default), use the release policy for that category
>>   If an SP supports R&S and CoCo, the attribute is released if it
>>   would be release either due to the R&S or due to the CoCo
>>   release policy.
> 
> This is the "complex attribute release policy" I was referring to. I
> have no idea how to implement the latter. (I realize this may be
> off-topic for this group. If you would prefer to take this discussion
> somewhere else, that would be fine.)

I think the key here is to look at the individual attributes an SP
requests and that the release decision based on R&S and CoCo is
evaluated using a boolean OR :-)

I assume the "complex" case is when both, the IdP and SP declare support
for R&S and CoCo. In all other cases, only one of the two would apply,
so that would be "business as usual".

So let's look at the special case where SP and IdP support both:

I think that for the required attributes and those defined in the
minimal R&S attribute set, things should be pretty clear. Either entity
category per se should already be sufficient for an IdP to release
attributes to that SP. Also, to get R&S the list of requested attributes
can be at maximum the attribute set mentioned in the R&S spec.

We set an attribute to "release" if it is released either due to R&S or
CoCo. If an SP has both categories, the attribute release IMHO would
only be different for the two entity categories (individually) for
desired attributes and the non-minimal R&S attributes
(eduPersonTargetedID and eduPersonScopedAffiliation).

The desired attributes might not be release according to the CoCo (at
least in SWITCHaai) but they might be released by R&S (because it's one
of the minimal R&S attributes). On the other hand, it could be that a
non-minimal R&S attribute could be a required-one, which then could be
released due to the CoCo.

It also should be mentioned that the distinction between desired and
required attributes might vanish sometime, which would make things even
clearer. There are discussions (in the Shib team and elswere) which
suggest that.


Best Regards
Lukas

-- 
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle AT switch.ch, http://www.switch.ch