An open discussion list for topics related to the eduGAIN interfederation service.

[Martin Matthiesen <martin.matthiesen AT csc.fi>]

Hello all,

I just joined this list, my name is Martin Matthiesen and I am currently 
co-ordinating the Clarin AAI Taskforce, where we try to tackle AAI 
interoperability within Clarin.

----- Original Message -----
> From: "Nicole Harris" <harris AT terena.org>
> To: edugain-discuss AT geant.net
> Sent: Friday, 28 November, 2014 20:16:09
> Subject: Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs

> So what I seem to be hearing here are the following actions:
> 
> 1.  REFEDS to look at an "academic IdP" EC and possibly a "public
> sign-up" EC (quick before Leif finds some more!).

I would argue against an EC for commercial IdPs. I cannot immagine a use case 
where a resource or service can be open to hundreds of millions of potential 
users from universities but has to be carefully guarded from users in 
companies and Terms of Use are not sufficient. In my view such a resource is 
either public or requires individual access, where I would trust the IdP from 
a big commerical company probably more than the IdP from a small regional 
university with an understaffed IT department. I would also trust the users 
from commercial companies more to use resources responsibly and respect ToS 
than 18 year old first-year students.

Protect Network is a special case, though. But I don't see the commercial 
aspect here as the problem, rather the question on how users get accounts, 
which is a bit unclear to me. If it is really "public sign up" and the level 
of assurance is thus zero, I don't see why anyone would want to have it, with 
or without EC. In Clarin we have a similar IdP for homeless users, but have 
not registered that to eduGAIN for good reasons. I understand Protect Network 
is IdP outsourcing, which makes a lot of sense.

Clarin does have a use case for resources that are automatically open to 
academics, Clarin ACA (www.clarin.eu/content/license-categories). This 
category is implemented in Fin-Clarin for a newspaper corpus (HS.fi, 
https://korp.csc.fi/#lang=en). It requires the eduPersonAffiliation attribute 
to be set to "faculty". I am not very familiar with eduGAIN legalese, but I 
would assume that non-academic IdPs are not allowed to set eduPerson*? 

> 2.  Would be good to work with CLARIN a bit more to tease out a better
> definition of their user / customer base...perhaps Lukas and I can look
> at this with Dieter and Jozef through the Enabling Users work?

I'd be happy to join in as well.

> 3.  Some work looking at scopes around "academic" roles, which could fit
> in with the SCHAC / MACE work that has been proposed.

I had two foreign users from Sweden and Norway trying to access the "HS.fi" 
text corpus mentioned above and both professors could not get access because 
their EPA attributes were lacking the "faculty" attribute, otherwise clearly 
required by Feide and Swamid. This was corrected in one case and the user got 
access. My argument against another EC is also practical: It will take a long 
time to get the definition right and then an even longer time until all IdPs 
have implemented it. And as said above, I don't see the use case.

Regards,
Martin

> Anything else?
> 
> Jozef do you think any of these approaches will help you?  If yes then
> we can call it a successful friday afternoon debate :-)
> 
> Cheers
> 
> Nicole
> 
> 
> On 28/11/2014 16:58, Leif Johansson wrote:
>>
>>
>>
>>> 28 nov 2014 kl. 17:44 skrev Ian Young <ian AT iay.org.uk>:
>>>
>>>
>>>> On 28 Nov 2014, at 16:10, Peter Schober <peter.schober AT univie.ac.at> 
>>>> wrote:
>>>>
>>>> *But* I think we have heard several reasons why (a) focussing on the
>>>> SAML IDP (or even the institution) may not be useful, and (b) coming
>>>> up with a shared/common understanding of the membership criteria for
>>>> such a category is highly unlikely to happen.
>>> I have to agree, although I'm open to be persuaded by an actual 
>>> implementable
>>> definition that matches what people want to do.
>>>
>>> An IdP entity category could obviously be part of that, but I believe 
>>> that an
>>> "academic IdP" category is not going to be the answer (at least to the 
>>> stated
>>> goal of "connecting
>>
>> agree - Doesn't mean it won't be useful...
>>
>>> to every *academic*") for a couple of reasons, because using the identity 
>>> of the
>>> organization that owns an IdP doesn't givs you a perfect match with 
>>> academic
>>> *users*. Not all accounts at an "academic IdP" are going to be associated 
>>> with
>>> "academics", and some "academics" have accounts in places we wouldn't be 
>>> likely
>>> to think of as "academic" IdPs.
>>>
>>> So to answer the stated use case, you need to combine:
>>>
>>> * A way of distinguishing IdPs that are trusted to assert that a 
>>> particular user
>>> is "academic" (this could be an entity category, but it would have to be
>>> broader than Leif's straw man), and
>>>
>>> * A vocabulary for such an IdP to assert that a particular user is an
>>> "academic".
>>>
>>> Like I said, this is a hard problem. I'm with Peter in thinking that it's
>>> probably close to insoluble as stated. To make progress, we'll probably 
>>> find
>>> that we have to accept some shift in the boundaries of the use case.
>>>
>>>    -- Ian
>>>
>>>
>>>
>>>
>>
> 
> 
> --
> Nicole Harris
> Project Development Officer
> GÉANT Association Amsterdam Office (formerly TERENA)
> Singel 468 D, 1017 AW Amsterdam
> The Netherlands
> Skype: harrisnv
> M:+31 64 610 53 95