edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs

From: Jan Tomášek <jan.tomasek AT cesnet.cz>
To: edugain-discuss AT geant.net
Subject: Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs
Date: Mon, 01 Dec 2014 16:03:50 +0100
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT cesnet.cz
List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
List-id: eduGAIN discussion list <edugain-discuss.geant.net>

Hello,

On 11/28/2014 04:57 PM, Mikael Linden wrote:

I also sympathize Jozef. We should provide scalable mechanisms for SPs
(better than "read their MRPS") to filter out the IdPs. We have Entity
categories for SPs, can't we introduce them for IdPs as well? Or use
eduPersonAffiliation for academics.

CESNET is operating eduID.cz but also our own services depending on eduID.cz federation. We needed some general classification of Research & Education user. We want to support libraries, universities to keep accounts for alums an our own IdP with affiliated accounts but we need to filter out those users from services which are only for R&E community as defined by our access policy.

We have created entity categories for IdP:
* university
* avcr - academy of sciences
* librariy
* hospitals
* cesnet

Admin of SP who want to allow only Research & Education users should set following filter:

(idp_category='university' and ((affiliate='employee') or
(affiliate='faculty') or (affiliate='member') or (affiliate='student') or
(affiliate='staff'))) or
(idp_category='avcr' and (affiliate='member')) or
(idp_category='library' and (affiliate='employee')) or
(idp_category='hospital' and (affiliate='employee')) or
(idp_category='cesnet' and ((affiliate='employee') or (affiliate='member')))

It is working, but I'm holding breath... not sure how long this will survive even in our small country. I can't imagine this to be expanded over eduGAIN. Even for CZ the filter is quite long.

Some doc:
http://www.eduid.cz/cs/tech/categories
http://www.eduid.cz/cs/tech/filtrovani-uzivatelu-dokumentace
Czech only, English written tech. report should be ready soon.

Best regards
--
--------------------------------------------------------------
Jan Tomasek aka Semik work: CESNET, z.s.p.o.
http://www.tomasek.cz/ Zikova 4, 160 00 Praha 6
Czech Republic
phone(work): +420 234 680 279 http://www.cesnet.cz/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, (continued)
- Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, Peter Schober, 01-Dec-2014
- Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, Fredrik Åslund, 01-Dec-2014
- Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, Rhys Smith, 01-Dec-2014
  - Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, Leif Johansson, 01-Dec-2014
- Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, Jan Tomášek, 12/01/2014
- Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, Steven Carmody, 02-Dec-2014