Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?


Chronological Thread 
  • From: Maarten Kremers <maarten.kremers AT surf.nl>
  • To: Pål Axelsson <pax AT sunet.se>, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
  • Date: Mon, 16 May 2022 13:29:12 +0000
  • Accept-language: nl-NL, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7hK4Wv1oYzcA57medNvesj/MPjBMs9kHLGT1J67SKU4=; b=TmRhIK1hBahM51fOpdBdW06WZeeJIIypyelBUiVudM/47STGdjdjEhOfWSo2nNjeqAhRe/ngpcHsjbwBgWf5sCyElfYDT+K3jk4YVGjRueFOJ2CxbiebsLciEnWCsQYTfHBwJ96D2tPrliK7U8s4R9xOJMiMvqGFdoKoFGp76IW5+dHmwMiTSdQ6yFXrBnXyxgq0OAyLWE1dlWZPnoKNXsOI3loR171ERBbH2UVEeGEOImsYmxR9YGWTqI6l3KItqdULZRLxbWamVc7dyztvaEeWX9tbA0SSR6RcNfRnDOHmJ4/06dp0NgaTWiw5OBpV8O9wWFkNIy34ulIT1QrQbg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fhAGK+3fGfoyAy5sjdEgGatszXMqA5pnzrIzVtTE9boefvNbAbpCXoMcvVsrFK1b+1+hNVqqMYhpssWyDwdzGFdthq1xyRjABsU5Yo64z6y6D1iAxBonB07IWIeCTTkUiLHgfzgY4VYzESdZ5v1UQg8s8xADfmaGegQRwM8zIq5Ym+fVgF7tGXu834jVbxYz7C2J/j+MHGzmd4dSgdGh2RXrwvC8uI+D0feHYdDmRl7Wa8n/sMnACokgACNfOc54WS9D5b+8XIRNMgJHNvUh3ke9n/wQH1V2jaWngCKHGszKiQ+u8zsHUTfZGJ1zVDN+sLF2qMh+l35kGMVJ4YpEKw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;

Hi Pål, all,

On 16 May 2022, at 11:31, Pål Axelsson <pax AT sunet.se> wrote:
>
> Hi,
>
> RAF does not have any notion about self-asserted identity. It has only the
> level of identity proofing, uniqueness of identifier and update speed of
> affiliation.

I don’t agree, paragraph 2.2. of RAF (Identity Proofing) signalling ‘low’ is
self asserted (as also mentioned in the example), where as medium (or high)
is a vetted identity. IMHO that makes the difference in the identity proofing
signal.

Cheers,
Maarten

>
> With that said, a non-organisational identity provider should not release
> any home organisation and affiliation values for the users. This is how
> the Swedish non-organisational IdP eduID.se do it today. eduID.se will
> start to release RAF values before the summer.

I do agree with that, a vetted identity as such doesn’t say anything about
any possible affiliations. However having said that, for eduID.nl (not in
eduGAIN) we do release eduid.nl as schacHomeOrg

On a sidenote, we do use the AuthnContextClassRef in our eduid.nl at the
moment for step-up on assurance levels (to indicate whether an eduID has been
stepped up by means linking your eduid.nl account to a dutch institutional
account, hence getting a higher level of proofing on the identity.
(https://wiki.surfnet.nl/pages/viewpage.action?pageId=35783850#:~:text=in%20eduID%20Profile-,https%3A//eduid.nl/trust/linked%2Dinstitution,-Require%20the%20user)


Additional information can be retrieved by querying an API
(https://wiki.surfnet.nl/display/surfconextdev/eduID+API#:~:text=https%3A//login.eduid.nl/myconext/api/eduid/links)

Cheers,
Maarten

>
> Pål
>
>
> -----Original Message-----
> From: edugain-discuss-request AT lists.geant.org
> <edugain-discuss-request AT lists.geant.org> On Behalf Of Maarten Kremers
> Sent: Monday, May 16, 2022 9:19 AM
> To: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
> Cc: edugain-discuss AT lists.geant.org
> Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
>
> Hi Lukas,
>
> My 2 cents: I don’t think there is any official policy (albeit some
> implicit assumptions).
> The REFEDS Assurance framework would be of help in my view by signalling
> that an account is self asserted. This of course requires further uptake
> of RAF.
> Nevertheless it would be good to also have more explicit view on what we
> as eduGAIN expect, this could be one of the actions of the eduGAIN futures
> work.
>
> Best regards,
> Maarten
>
>> On 16 May 2022, at 08:48, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
> wrote:
>>
>> Hello all
>>
>> What is eduGAIN's current official policy and best-practice in terms of
> guest and open Identity Providers where just anyone can create an account?
>>
>> I as far as I see, there is nothing directly mentioned in the
> constitution and declaration regarding this point. One relevant document
> in this matter is the registration practice statement that each federation
> writes (and changes) on its own.
>>
>> The "Registration practice statement" of a federation declares which
> types of organisations are accepted in a federation. Assuming that a
> university or a federation operator itself would operate a guest IdP that
> allows just any user with a valid e-mail address to register an account,
> would this be ok? Or are there any limits on which attributes and values
> this IdP should/should not release?
>>
>> I know that there exist at least one guest IdP in eduGAIN (that releases
> just a limited set of attributes) and that probably more exist. Still, I'm
> interested in some current official response and view on this topic.
>>
>> The background of this question has to do with SWITCH edu-ID where we
> currently publish the university IdPs in eduGAIN but don't allow private
> identities (without university affiliation) to access eduGAIN services.
> There are library use cases where people (without university affiliation)
> need access to publisher resources (accessible via eduGAIN). Therefore, we
> are exploring the options how to allow access to these users.
>>
>>
>> Best Regards
>> Lukas
>>
>> --
>> SWITCH
>> Lukas Hämmerle, Trust & Identity
>> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
>> +41 44 268 15 64 lukas.haemmerle AT switch.ch http://www.switch.ch
>
>
> Maarten Kremers
> Technical Product Manager Trust & Identity
> GÉANT Project Task Leader Trust & Identity Enabling Communities
>
> SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon -
> Tue - Wed - Fri
> SURF is the collaborative organisation for ICT in Dutch education and
> research


Maarten Kremers
Technical Product Manager Trust & Identity
GÉANT Project Task Leader Trust & Identity Enabling Communities

SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon -
Tue - Wed - Fri
SURF is the collaborative organisation for ICT in Dutch education and research




Archive powered by MHonArc 2.6.19.

Top of Page