An open discussion list for topics related to the eduGAIN interfederation service.

[Leif Johansson <leifj AT sunet.se>]

On 12/01/2014 10:17 AM, Martin Matthiesen wrote:
> Hello all,
> 
> I just joined this list, my name is Martin Matthiesen and I am currently 
> co-ordinating the Clarin AAI Taskforce, where we try to tackle AAI 
> interoperability within Clarin.
> 
> ----- Original Message -----
>> From: "Nicole Harris" <harris AT terena.org>
>> To: edugain-discuss AT geant.net
>> Sent: Friday, 28 November, 2014 20:16:09
>> Subject: Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs
> 
>> So what I seem to be hearing here are the following actions:
>>
>> 1.  REFEDS to look at an "academic IdP" EC and possibly a "public
>> sign-up" EC (quick before Leif finds some more!).
> 
> I would argue against an EC for commercial IdPs. I cannot immagine a use 
> case where a resource or service can be open to hundreds of millions of 
> potential users from universities but has to be carefully guarded from 
> users in companies and Terms of Use are not sufficient. In my view such a 
> resource is either public or requires individual access, where I would 
> trust the IdP from a big commerical company probably more than the IdP from 
> a small regional university with an understaffed IT department. I would 
> also trust the users from commercial companies more to use resources 
> responsibly and respect ToS than 18 year old first-year students.
> 
> Protect Network is a special case, though. But I don't see the commercial 
> aspect here as the problem, rather the question on how users get accounts, 
> which is a bit unclear to me. If it is really "public sign up" and the 
> level of assurance is thus zero, I don't see why anyone would want to have 
> it, with or without EC. In Clarin we have a similar IdP for homeless users, 
> but have not registered that to eduGAIN for good reasons. I understand 
> Protect Network is IdP outsourcing, which makes a lot of sense.
> 

Based on conversations with other research projects I'm not sure Clarin
is representative in this view. For instance there is significant
interest in unitedid (because it offers 2 factor authn) even though
the proofing level is low.

> Clarin does have a use case for resources that are automatically open to 
> academics, Clarin ACA (www.clarin.eu/content/license-categories). This 
> category is implemented in Fin-Clarin for a newspaper corpus (HS.fi, 
> https://korp.csc.fi/#lang=en). It requires the eduPersonAffiliation 
> attribute to be set to "faculty". I am not very familiar with eduGAIN 
> legalese, but I would assume that non-academic IdPs are not allowed to set 
> eduPerson*? 

I'm not sure what you mean by "allowed" but I'm not sure its as simple
as that...

> 
>> 2.  Would be good to work with CLARIN a bit more to tease out a better
>> definition of their user / customer base...perhaps Lukas and I can look
>> at this with Dieter and Jozef through the Enabling Users work?
> 
> I'd be happy to join in as well.
> 
>> 3.  Some work looking at scopes around "academic" roles, which could fit
>> in with the SCHAC / MACE work that has been proposed.
> 
> I had two foreign users from Sweden and Norway trying to access the "HS.fi" 
> text corpus mentioned above and both professors could not get access 
> because their EPA attributes were lacking the "faculty" attribute, 
> otherwise clearly required by Feide and Swamid. This was corrected in one 
> case and the user got access. My argument against another EC is also 
> practical: It will take a long time to get the definition right and then an 
> even longer time until all IdPs have implemented it. And as said above, I 
> don't see the use case.
> 

That is wrong. SWAMID and Feide do not require 'faculty' and furthermore
that notion (faculty) has no meaning in the Scandinavian academic
tradition and is almost never defined.

Studies have shown (and experience bears this out) that only employee
and student are universally deployed.

        Cheers Leif