Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Filtering eduPersonEntitlement

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Filtering eduPersonEntitlement


Chronological Thread 
  • From: Alex Stuart <Alex.Stuart AT jisc.ac.uk>
  • To: Pavel Šipoš <pavel.sipos AT arnes.si>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] Filtering eduPersonEntitlement
  • Date: Thu, 21 May 2020 08:39:53 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ojdUOHvS3s8R6v/zjlcBiLEgUGlUGgTqADNdTGvatWg=; b=cfgIm4zSMvfLAJiXTYJWshZixOOP0pwZ8p3oquCT45H0drjjXfi5aFZ6GSCdmK0isqF/ahh3OEXa/rJq7YFk/514c93S4y4zjCn88+RzFiIKcc8klFAPxiuR5pVBEnJET55Im1nS4PYlYq8ccHnb6vxKFVoxXDwWi1Z6OH5OjlH6Yp2PY+ewabgIhjr7Y2H60oyHEL0AX67PNYF96+fRs8FlEz0yuL7khl9NcUv9ZSsLTTiGmJxyY3qx5ZCB6sxAwVQpavTMPtFJ7gBsdK1UA+Ecnj+RdRpvlg+BErUTjF5dqtqknVIHGCVl1JEyIotKlsd2wikodMzC8ZJliDTT/w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jyDzLkx9cJ4Hfd6ood2GZRzeyO603+g0L8jfcPCoR8vYEcFvOC4YI9CZR4XJnOUCC3JDAGYiLp2xkPZE2Jz23s71YzAPz5ZTZ5Kml87wjUXheoAoVMCvUqb36IRKmxF9QqdvCHKG7B3jokk1xBSi3qE0nj3CPAeWwpTJ0u6E68DH/XbMlHD5p+0MZOnX473iTx2wuITIa1LBuU1/nkZHx+pHi4EHbXa2iQc+aAzM1EJ9HNuI5BVyuWM5tg+hLPYefr/h+dcAUjFztn62jEeiI+uExZKVXde2wjmNQh970/W23zatf9c0XQrbK2IAaZUwC0BSnl4OcdHsLcDDMItIew==
  • Authentication-results: arnes.si; dkim=none (message not signed) header.d=none;arnes.si; dmarc=none action=none header.from=jisc.ac.uk;

Hi Pavel,

You're right that eduPersonEntitlement can take multiple values, and also
"The meaning of a given value of eduPersonEntitlement is normally defined by
a service provider" [1].

You should not expect to find possible values published in metadata. The
specification says "the trust between the two parties must be established out
of band" [2], so you would usually have to discuss the values with the
service provider. We do have a short cut in the UK federation, where some of
the services list their requirements for eduPersonEntitlement values and the
criteria for which accounts should assert those value. See [3] for an example.

In prinicple a SP owner could put the expected values into a
RequestedAttribute element. However, it doesn't look like there are any
examples of this in eduGAIN metadata (using [4]). Practically, you can
envisage that there could be many potential values of eduPersonEntitlement
accepted by a single SP. Some of the values might give an indication of
business processes so you wouldn't want them to published; and the values
could be defined & changed by business units without having to talk to the SP
metadata folks. This makes metadata a bad place to publish such information.

Hope that helps,
Alex

[1] UK federation Techniocal Recommendations for Participants, Section 7.1.5
eduPersonEntitlement
https://docs.ukfederation.org.uk/trp/1.5/attribute-usage/#71-core-attributes

[2] eduPersonEntitlement in the most recent version of the schema.
https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson2020-01-eduPersonEntitlement

[3] https://www.ukfederation.org.uk/content/Services/2010-11-10-JUSP

[4]
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>

<xsl:output method="text" encoding="UTF-8"/>

<xsl:template
match="md:EntityDescriptor/md:SPSSODescriptor/md:AttributeConsumingService/md:RequestedAttribute/md:AttributeValue">
<xsl:text>entityID:&#09;</xsl:text>
<xsl:value-of select="../../../../@entityID"/>
<xsl:text>&#09;</xsl:text>
<xsl:value-of select="../@Name"/>
<xsl:text>&#09;</xsl:text>
<xsl:value-of select="."/>
<xsl:text>&#10;</xsl:text>
<xsl:apply-templates />
</xsl:template>

<xsl:template match="text()">
<!-- do nothing -->
</xsl:template>
</xsl:stylesheet>



> On 21 May 2020, at 08:38, Pavel Šipoš <pavel.sipos AT arnes.si> wrote:
>
> Hi.
>
> We are using SimpleSAMLphp for IdP.
>
> I am looking for solution to filter release of users "eduPersonEntitlement"
> attribute to only one value (or these that are matching) based on entityID
> of SP requesting it.
> Because "eduPersonEntitlement" can occur multiple times and is multivalue
> attribute, we want do to matching of values with domain of entityID of SP
> to release just matching ones.
>
> I know it is not ideal solution, but from federation metadata I just don't
> see or can't predict which exact eduPersonEntitlement is requested for some
> SP.
>
> Has anybody done that or how are you solving this problem?
>
> Regards
> Pavel (ArnesAAI)
>
> --
> --
> Pavel Sipos, Arnes <pavel.sipos AT arnes.si>
> ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
> T: +386 1 479 88 00
> W: www.arnes.si, aai.arnes.si
>


Alex Stuart, Technical Development Manager (Trust and Identity)
alex.stuart AT jisc.ac.uk

In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus:
https://www.jisc.ac.uk/about/corporate/coronavirus-statement

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page