An open discussion list for topics related to the eduGAIN interfederation service.

[Pål Axelsson <pax AT sunet.se>]

> -----Original Message-----
> From: Maarten Kremers <maarten.kremers AT surf.nl>
> Sent: Monday, May 16, 2022 3:29 PM
> To: Pål Axelsson <pax AT sunet.se>; Lukas Hämmerle
> <lukas.haemmerle AT switch.ch>
> Cc: edugain-discuss AT lists.geant.org
> Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
>
> Hi Pål, all,
>
> On 16 May 2022, at 11:31, Pål Axelsson <pax AT sunet.se> wrote:
> >
> > Hi,
> >
> > RAF does not have any notion about self-asserted identity. It has only
> > the level of identity proofing, uniqueness of identifier and update
> > speed of affiliation.
>
> I don’t agree, paragraph 2.2. of RAF (Identity Proofing) signalling
‘low’ is self
> asserted (as also mentioned in the example), where as medium (or high)
is a
> vetted identity. IMHO that makes the difference in the identity proofing
signal.

I agree that the level of identity proofing is self-asserted at low. At
medium and high you need to something else than self-asserted but that
don't mean that you get any organisational affiliation based on that. The
home organisation affiliation is a totally other beast that is not coupled
to the identity proofing itself. Low, medium and high "only" define how
well you have proofed the individual, not to where he/her belongs.

Pål

>
> Cheers,
> Maarten
>
> >
> > With that said, a non-organisational identity provider should not
> > release any home organisation and affiliation values for the users.
> > This is how the Swedish non-organisational IdP eduID.se do it today.
> > eduID.se will start to release RAF values before the summer.
>
> I do agree with that, a vetted identity as such doesn’t say anything
about any
> possible affiliations. However having said that, for eduID.nl (not in
eduGAIN) we
> do release eduid.nl as schacHomeOrg
>
> On a sidenote, we do use the AuthnContextClassRef in our eduid.nl at the
> moment for step-up on assurance levels (to indicate whether an eduID has
been
> stepped up by means linking your eduid.nl account to a dutch
institutional
> account, hence getting a higher level of proofing on the identity.
>
(https://wiki.surfnet.nl/pages/viewpage.action?pageId=35783850#:~:text=in%
2
> 0eduID%20Profile-,https%3A//eduid.nl/trust/linked%2Dinstitution,-
> Require%20the%20user)
>
> Additional information can be retrieved by querying an API
>
(https://wiki.surfnet.nl/display/surfconextdev/eduID+API#:~:text=https%3A/
/log
> in.eduid.nl/myconext/api/eduid/links)
>
> Cheers,
>  Maarten
>
> >
> > Pål
> >
> >
> > -----Original Message-----
> > From: edugain-discuss-request AT lists.geant.org
> > <edugain-discuss-request AT lists.geant.org> On Behalf Of Maarten Kremers
> > Sent: Monday, May 16, 2022 9:19 AM
> > To: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
> > Cc: edugain-discuss AT lists.geant.org
> > Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
> >
> > Hi Lukas,
> >
> > My 2 cents: I don’t think there is any official policy (albeit some
> > implicit assumptions).
> > The REFEDS Assurance framework would be of help in my view by
> > signalling that an account is self asserted. This of course requires
> > further uptake of RAF.
> > Nevertheless it would be good to also have more explicit view on what
> > we as eduGAIN expect, this could be one of the actions of the eduGAIN
> > futures work.
> >
> > Best regards,
> > Maarten
> >
> >> On 16 May 2022, at 08:48, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
> > wrote:
> >>
> >> Hello all
> >>
> >> What is eduGAIN's current official policy and best-practice in terms
> >> of
> > guest and open Identity Providers where just anyone can create an
account?
> >>
> >> I as far as I see, there is nothing directly mentioned in the
> > constitution and declaration regarding this point. One relevant
> > document in this matter is the registration practice statement that
> > each federation writes (and changes) on its own.
> >>
> >> The "Registration practice statement" of a federation declares which
> > types of organisations are accepted in a federation. Assuming that a
> > university or a federation operator itself would operate a guest IdP
> > that allows just any user with a valid e-mail address to register an
> > account, would this be ok? Or are there any limits on which attributes
> > and values this IdP should/should not release?
> >>
> >> I know that there exist at least one guest IdP in eduGAIN (that
> >> releases
> > just a limited set of attributes) and that probably more exist. Still,
> > I'm interested in some current official response and view on this
topic.
> >>
> >> The background of this question has to do with SWITCH edu-ID where we
> > currently publish the university IdPs in eduGAIN but don't allow
> > private identities (without university affiliation) to access eduGAIN
services.
> > There are library use cases where people (without university
> > affiliation) need access to publisher resources (accessible via
> > eduGAIN). Therefore, we are exploring the options how to allow access
to
> these users.
> >>
> >>
> >> Best Regards
> >> Lukas
> >>
> >> --
> >> SWITCH
> >> Lukas Hämmerle, Trust & Identity
> >> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> >> +41 44 268 15 64  lukas.haemmerle AT switch.ch  http://www.switch.ch
> >
> > —
> > Maarten Kremers
> > Technical Product Manager Trust & Identity GÉANT Project Task Leader
> > Trust & Identity Enabling Communities
> >
> > SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available:
> > Mon - Tue - Wed - Fri SURF is the collaborative organisation for ICT
> > in Dutch education and research
>
> —
> Maarten Kremers
> Technical Product Manager Trust & Identity GÉANT Project Task Leader
Trust &
> Identity Enabling Communities
>
> SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon
-
> Tue - Wed - Fri SURF is the collaborative organisation for ICT in Dutch
education
> and research