Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs


Chronological Thread 
  • From: Martin Matthiesen <martin.matthiesen AT csc.fi>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs
  • Date: Mon, 1 Dec 2014 11:17:09 +0200 (EET)
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

Hello all,

I just joined this list, my name is Martin Matthiesen and I am currently
co-ordinating the Clarin AAI Taskforce, where we try to tackle AAI
interoperability within Clarin.

----- Original Message -----
> From: "Nicole Harris" <harris AT terena.org>
> To: edugain-discuss AT geant.net
> Sent: Friday, 28 November, 2014 20:16:09
> Subject: Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs

> So what I seem to be hearing here are the following actions:
>
> 1. REFEDS to look at an "academic IdP" EC and possibly a "public
> sign-up" EC (quick before Leif finds some more!).

I would argue against an EC for commercial IdPs. I cannot immagine a use case
where a resource or service can be open to hundreds of millions of potential
users from universities but has to be carefully guarded from users in
companies and Terms of Use are not sufficient. In my view such a resource is
either public or requires individual access, where I would trust the IdP from
a big commerical company probably more than the IdP from a small regional
university with an understaffed IT department. I would also trust the users
from commercial companies more to use resources responsibly and respect ToS
than 18 year old first-year students.

Protect Network is a special case, though. But I don't see the commercial
aspect here as the problem, rather the question on how users get accounts,
which is a bit unclear to me. If it is really "public sign up" and the level
of assurance is thus zero, I don't see why anyone would want to have it, with
or without EC. In Clarin we have a similar IdP for homeless users, but have
not registered that to eduGAIN for good reasons. I understand Protect Network
is IdP outsourcing, which makes a lot of sense.

Clarin does have a use case for resources that are automatically open to
academics, Clarin ACA (www.clarin.eu/content/license-categories). This
category is implemented in Fin-Clarin for a newspaper corpus (HS.fi,
https://korp.csc.fi/#lang=en). It requires the eduPersonAffiliation attribute
to be set to "faculty". I am not very familiar with eduGAIN legalese, but I
would assume that non-academic IdPs are not allowed to set eduPerson*?

> 2. Would be good to work with CLARIN a bit more to tease out a better
> definition of their user / customer base...perhaps Lukas and I can look
> at this with Dieter and Jozef through the Enabling Users work?

I'd be happy to join in as well.

> 3. Some work looking at scopes around "academic" roles, which could fit
> in with the SCHAC / MACE work that has been proposed.

I had two foreign users from Sweden and Norway trying to access the "HS.fi"
text corpus mentioned above and both professors could not get access because
their EPA attributes were lacking the "faculty" attribute, otherwise clearly
required by Feide and Swamid. This was corrected in one case and the user got
access. My argument against another EC is also practical: It will take a long
time to get the definition right and then an even longer time until all IdPs
have implemented it. And as said above, I don't see the use case.

Regards,
Martin

> Anything else?
>
> Jozef do you think any of these approaches will help you? If yes then
> we can call it a successful friday afternoon debate :-)
>
> Cheers
>
> Nicole
>
>
> On 28/11/2014 16:58, Leif Johansson wrote:
>>
>>
>>
>>> 28 nov 2014 kl. 17:44 skrev Ian Young <ian AT iay.org.uk>:
>>>
>>>
>>>> On 28 Nov 2014, at 16:10, Peter Schober <peter.schober AT univie.ac.at>
>>>> wrote:
>>>>
>>>> *But* I think we have heard several reasons why (a) focussing on the
>>>> SAML IDP (or even the institution) may not be useful, and (b) coming
>>>> up with a shared/common understanding of the membership criteria for
>>>> such a category is highly unlikely to happen.
>>> I have to agree, although I'm open to be persuaded by an actual
>>> implementable
>>> definition that matches what people want to do.
>>>
>>> An IdP entity category could obviously be part of that, but I believe
>>> that an
>>> "academic IdP" category is not going to be the answer (at least to the
>>> stated
>>> goal of "connecting
>>
>> agree - Doesn't mean it won't be useful...
>>
>>> to every *academic*") for a couple of reasons, because using the identity
>>> of the
>>> organization that owns an IdP doesn't givs you a perfect match with
>>> academic
>>> *users*. Not all accounts at an "academic IdP" are going to be associated
>>> with
>>> "academics", and some "academics" have accounts in places we wouldn't be
>>> likely
>>> to think of as "academic" IdPs.
>>>
>>> So to answer the stated use case, you need to combine:
>>>
>>> * A way of distinguishing IdPs that are trusted to assert that a
>>> particular user
>>> is "academic" (this could be an entity category, but it would have to be
>>> broader than Leif's straw man), and
>>>
>>> * A vocabulary for such an IdP to assert that a particular user is an
>>> "academic".
>>>
>>> Like I said, this is a hard problem. I'm with Peter in thinking that it's
>>> probably close to insoluble as stated. To make progress, we'll probably
>>> find
>>> that we have to accept some shift in the boundaries of the use case.
>>>
>>> -- Ian
>>>
>>>
>>>
>>>
>>
>
>
> --
> Nicole Harris
> Project Development Officer
> GÉANT Association Amsterdam Office (formerly TERENA)
> Singel 468 D, 1017 AW Amsterdam
> The Netherlands
> Skype: harrisnv
> M:+31 64 610 53 95





Archive powered by MHonArc 2.6.19.

Top of Page