Skip to Content.

edugain-discuss - Re: [eduGAIN-discuss] Assessment of Slovenia / safeID

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive


Re: [eduGAIN-discuss] Assessment of Slovenia / safeID


Chronological Thread 
    < Chronological >      < Thread >
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] Assessment of Slovenia / safeID
  • Date: Thu, 7 Nov 2019 11:33:14 +0100
  • Organization: ACOnet
* Chris Phillips <Chris.Phillips AT canarie.ca> [2019-11-07 05:52]:
> It’s good to see the latest content being used for MRPS and
> leveraging the SUNET tech profile.  I do have a question or two
> though..
>
> Section 3 of the SafeID technology profile[1] has:
>
> All identity providers (home organizations and attribute authorities) MUST
> fulfll the SAML V2.0 Interoperability Deployment Profle [3].
> All service providers SHOULD fulfll the SAML 2.0 Interoperability
> Deployment Profle [3].

FWIW, that MUST doesn't come from the SWAMID SAML Technology Profile
but from the ACOnet one (which was derived from the SWAMID one -- as
was our policy back then, which started the whole Creative Commons
licensing and Federation Policy Template activities):
https://www.aco.net/Federation_TP-websso.pdf

> Are you sure about the MUST statement around  *ALL* of saml2int.org for
> IDPs?    
>
> While it sounds good and maybe early on safeID has the opportunity
> to insist IdPs comply with this it may be challenging given how
> forward looking saml2int.org is.

Our SAML Tech Profile was published in 2011 at which point saml2int
probably was on v0.1 or v0.2 https://saml2int.org/profile/0.2/
and the MUST for v0.2 was justified and easily fulfilled by our IDPs.

So it was the (rather drastic, and fully unexpected) change in
saml2int from 0.2 to 2.0 that causes this issue. Our own version of
the tech profile had a kind of version reference in it ("stable
version") but of course that wasn't specific enough. I should have
nailed it to 0.2 but wasn't keen on updating the profile for further
minor versions. Semantic versioning ftw, anyone?

AFAIR Martin also started creating his own derived versions of these
documents long before the new and very different saml2int > v0.2
versions were written and so his derived versions also suffer from
unprecise references, pointing to something that's now very different
from what that reference was inserted.

> Was the MUST statement intentional for a specific reason?

Yes, see above.

-peter

Archive powered by MHonArc 2.6.19.

Top of Page