An open discussion list for topics related to the eduGAIN interfederation service.

[Alex Stuart <Alex.Stuart AT jisc.ac.uk>]

Hi Pavel,

You're right that eduPersonEntitlement can take multiple values, and also 
"The meaning of a given value of eduPersonEntitlement is normally defined by 
a service provider" [1]. 

You should not expect to find possible values published in metadata. The 
specification says "the trust between the two parties must be established out 
of band" [2], so you would usually have to discuss the values with the 
service provider. We do have a short cut in the UK federation, where some of 
the services list their requirements for eduPersonEntitlement values and the 
criteria for which accounts should assert those value. See [3] for an example.

In prinicple a SP owner could put the expected values into a 
RequestedAttribute element. However, it doesn't look like there are any 
examples of this in eduGAIN metadata (using [4]). Practically, you can 
envisage that there could be many potential values of eduPersonEntitlement 
accepted by a single SP. Some of the values might give an indication of 
business processes so you wouldn't want them to published; and the values 
could be defined & changed by business units without having to talk to the SP 
metadata folks. This makes metadata a bad place to publish such information.

Hope that helps,
Alex

[1] UK federation Techniocal Recommendations for Participants, Section 7.1.5 
eduPersonEntitlement
https://docs.ukfederation.org.uk/trp/1.5/attribute-usage/#71-core-attributes

[2] eduPersonEntitlement in the most recent version of the schema.
https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson2020-01-eduPersonEntitlement

[3] https://www.ukfederation.org.uk/content/Services/2010-11-10-JUSP

[4] 
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
        xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>

        <xsl:output method="text" encoding="UTF-8"/>

        <xsl:template 
match="md:EntityDescriptor/md:SPSSODescriptor/md:AttributeConsumingService/md:RequestedAttribute/md:AttributeValue">
                <xsl:text>entityID:&#09;</xsl:text>
                <xsl:value-of select="../../../../@entityID"/>
                <xsl:text>&#09;</xsl:text>
                <xsl:value-of select="../@Name"/>
                <xsl:text>&#09;</xsl:text>
                <xsl:value-of select="."/>
                <xsl:text>&#10;</xsl:text>
                <xsl:apply-templates />
        </xsl:template>

        <xsl:template match="text()">
                <!-- do nothing -->
        </xsl:template>
</xsl:stylesheet>



> On 21 May 2020, at 08:38, Pavel Šipoš <pavel.sipos AT arnes.si> wrote:
> 
> Hi.
> 
> We are using SimpleSAMLphp for IdP.
> 
> I am looking for solution to filter release of users "eduPersonEntitlement" 
> attribute to only one value (or these that are matching) based on entityID 
> of SP requesting it.
> Because "eduPersonEntitlement" can occur multiple times and is multivalue 
> attribute, we want do to matching of values with domain of entityID of SP 
> to release just matching ones.
> 
> I know it is not ideal solution, but from federation metadata I just don't 
> see or can't predict which exact eduPersonEntitlement is requested for some 
> SP.
> 
> Has anybody done that or how are you solving this problem?
> 
> Regards
> Pavel (ArnesAAI)
> 
> -- 
> --
> Pavel Sipos, Arnes <pavel.sipos AT arnes.si>
> ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
> T: +386 1 479 88 00
> W: www.arnes.si, aai.arnes.si
> 

—
Alex Stuart, Technical Development Manager (Trust and Identity)
alex.stuart AT jisc.ac.uk

In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus: 
https://www.jisc.ac.uk/about/corporate/coronavirus-statement

Attachment: smime.p7s
Description: S/MIME cryptographic signature