edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs

From: Tom Scavo <trscavo AT internet2.edu>
To: "edugain-discuss AT geant.net" <edugain-discuss AT geant.net>
Subject: Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs
Date: Thu, 4 Dec 2014 08:20:28 -0500
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT gmail.com
List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
List-id: eduGAIN discussion list <edugain-discuss.geant.net>

On Thu, Dec 4, 2014 at 4:55 AM, Peter Schober
<peter.schober AT univie.ac.at> wrote:
>
> So I would suggest the following (eduPerson affiliation values):
>
> * Require just "member", if you're fine with students being included
>
> * Require "member AND NOT student" if you're not fine with students
>
> * If for some reason that's all unacceptable, require "faculty" and
> find ways how to deal with those not sending it (e.g. by accepting
> "staff" instead, as the UKfed and eduID.at use that to include
> faculty).

If we're talking about <RequestedAttribute> elements in metadata, then
there's also the nagging problem that you can only use
eduPersonAffiliation in conjunction with specific values. For example,
the following element is incorrect:

<RequestedAttribute FriendlyName="eduPersonScopedAffiliation"
Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>member</saml:AttributeValue>
</RequestedAttribute>

since member is a scoped attribute. AFAIK, there's no way to work around that.

Tom

Re: [eduGAIN-discuss] eduGAIN and non "academic" IdPs, (continued)