Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?


Chronological Thread 
  • From: Maarten Kremers <maarten.kremers AT surf.nl>
  • To: Pål Axelsson <pax AT sunet.se>, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
  • Date: Mon, 16 May 2022 13:55:14 +0000
  • Accept-language: nl-NL, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zya6oW57xInPLo05rBv7ilR7j9wq8Njr1oNGZNoBb5w=; b=Wu0VRQM/0GqRWhUXIZ+3VsuMaWmPMrdQOkvIFpyGXZSq/S0o/heydWeMPDMa+UbdoLV/+iEfeCKsbSSUqchvTbdKmGgNojq6ap2LOKOsL4Az6WzIGHde8pZHjMhaKWRL/PMJnrP15aI+nhD3XVMu+w2sf1jsHFt1dIu/K6nUKMJ7nkImfrsq5/5fqyO36YZmsK8wxloUZQ7+paSTLFtJX9I4sXiTNtBhOgWHzFe02+Z9uRf+YIP8pa5b87KH96q62Yi1smQ5yI7Kf7/CpqqL0Fk72VM1G6T0tkmNLn0pqpLbZ6L7H1L2bpt/YaE1uYWeMuCwpZ64FBGVAFmOSV1jjw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eLwpf8gjor0kx0men+FRO9l4krFIzyUAANbqZ32nnzS/OwLRhd9MmG3BHURMrSi/HzJB2crQbiXRwqFi4+HOSU5xmCp8vmsOxER6RJUn1/7EoksUBi/ll4BA9ybkS2fD817pYLK3vrXJxxExuPAds8ecaorCb99tUoZh6f27xH1mM/vhzsBlusMw9ptoIpslXlSKUQpgHb8zN2ZAQ6cOtzB9HujRVuVZ4rU4Y4pI5ChZBdVtHV0O54Dko5TtB+6YWqvpM/9l0U1y4GcPVD4kjFifPY0stFxliJELsJR6huL4nfKiwCUxVWc/nObeUAlIKy793mjqac31cy9dNqJ0tA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;

Hi,

> On 16 May 2022, at 15:43, Pål Axelsson <pax AT sunet.se> wrote:
>
>> -----Original Message-----
>> From: Maarten Kremers <maarten.kremers AT surf.nl>
>> Sent: Monday, May 16, 2022 3:29 PM
>> To: Pål Axelsson <pax AT sunet.se>; Lukas Hämmerle
>> <lukas.haemmerle AT switch.ch>
>> Cc: edugain-discuss AT lists.geant.org
>> Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
>>
>> Hi Pål, all,
>>
>> On 16 May 2022, at 11:31, Pål Axelsson <pax AT sunet.se> wrote:
>>>
>>> Hi,
>>>
>>> RAF does not have any notion about self-asserted identity. It has only
>>> the level of identity proofing, uniqueness of identifier and update
>>> speed of affiliation.
>>
>> I don’t agree, paragraph 2.2. of RAF (Identity Proofing) signalling
> ‘low’ is self
>> asserted (as also mentioned in the example), where as medium (or high)
> is a
>> vetted identity. IMHO that makes the difference in the identity proofing
> signal.
>
> I agree that the level of identity proofing is self-asserted at low. At
> medium and high you need to something else than self-asserted but that
> don't mean that you get any organisational affiliation based on that. The
> home organisation affiliation is a totally other beast that is not coupled
> to the identity proofing itself. Low, medium and high "only" define how
> well you have proofed the individual, not to where he/her belongs.

Agree, that also what I meant. And also that a ’true’ guests would get
‘affiliate AT domain.org’ (or no affiliation at all)

Cheers,
Maarten

>
> Pål
>
>>
>> Cheers,
>> Maarten
>>
>>>
>>> With that said, a non-organisational identity provider should not
>>> release any home organisation and affiliation values for the users.
>>> This is how the Swedish non-organisational IdP eduID.se do it today.
>>> eduID.se will start to release RAF values before the summer.
>>
>> I do agree with that, a vetted identity as such doesn’t say anything
> about any
>> possible affiliations. However having said that, for eduID.nl (not in
> eduGAIN) we
>> do release eduid.nl as schacHomeOrg
>>
>> On a sidenote, we do use the AuthnContextClassRef in our eduid.nl at the
>> moment for step-up on assurance levels (to indicate whether an eduID has
> been
>> stepped up by means linking your eduid.nl account to a dutch
> institutional
>> account, hence getting a higher level of proofing on the identity.
>>
> (https://wiki.surfnet.nl/pages/viewpage.action?pageId=35783850#:~:text=in%
> 2
>> 0eduID%20Profile-,https%3A//eduid.nl/trust/linked%2Dinstitution,-
>> Require%20the%20user)
>>
>> Additional information can be retrieved by querying an API
>>
> (https://wiki.surfnet.nl/display/surfconextdev/eduID+API#:~:text=https%3A/
> /log
>> in.eduid.nl/myconext/api/eduid/links)
>>
>> Cheers,
>> Maarten
>>
>>>
>>> Pål
>>>
>>>
>>> -----Original Message-----
>>> From: edugain-discuss-request AT lists.geant.org
>>> <edugain-discuss-request AT lists.geant.org> On Behalf Of Maarten Kremers
>>> Sent: Monday, May 16, 2022 9:19 AM
>>> To: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
>>> Cc: edugain-discuss AT lists.geant.org
>>> Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
>>>
>>> Hi Lukas,
>>>
>>> My 2 cents: I don’t think there is any official policy (albeit some
>>> implicit assumptions).
>>> The REFEDS Assurance framework would be of help in my view by
>>> signalling that an account is self asserted. This of course requires
>>> further uptake of RAF.
>>> Nevertheless it would be good to also have more explicit view on what
>>> we as eduGAIN expect, this could be one of the actions of the eduGAIN
>>> futures work.
>>>
>>> Best regards,
>>> Maarten
>>>
>>>> On 16 May 2022, at 08:48, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
>>> wrote:
>>>>
>>>> Hello all
>>>>
>>>> What is eduGAIN's current official policy and best-practice in terms
>>>> of
>>> guest and open Identity Providers where just anyone can create an
> account?
>>>>
>>>> I as far as I see, there is nothing directly mentioned in the
>>> constitution and declaration regarding this point. One relevant
>>> document in this matter is the registration practice statement that
>>> each federation writes (and changes) on its own.
>>>>
>>>> The "Registration practice statement" of a federation declares which
>>> types of organisations are accepted in a federation. Assuming that a
>>> university or a federation operator itself would operate a guest IdP
>>> that allows just any user with a valid e-mail address to register an
>>> account, would this be ok? Or are there any limits on which attributes
>>> and values this IdP should/should not release?
>>>>
>>>> I know that there exist at least one guest IdP in eduGAIN (that
>>>> releases
>>> just a limited set of attributes) and that probably more exist. Still,
>>> I'm interested in some current official response and view on this
> topic.
>>>>
>>>> The background of this question has to do with SWITCH edu-ID where we
>>> currently publish the university IdPs in eduGAIN but don't allow
>>> private identities (without university affiliation) to access eduGAIN
> services.
>>> There are library use cases where people (without university
>>> affiliation) need access to publisher resources (accessible via
>>> eduGAIN). Therefore, we are exploring the options how to allow access
> to
>> these users.
>>>>
>>>>
>>>> Best Regards
>>>> Lukas
>>>>
>>>> --
>>>> SWITCH
>>>> Lukas Hämmerle, Trust & Identity
>>>> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
>>>> +41 44 268 15 64 lukas.haemmerle AT switch.ch http://www.switch.ch
>>>
>>> —
>>> Maarten Kremers
>>> Technical Product Manager Trust & Identity GÉANT Project Task Leader
>>> Trust & Identity Enabling Communities
>>>
>>> SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available:
>>> Mon - Tue - Wed - Fri SURF is the collaborative organisation for ICT
>>> in Dutch education and research
>>
>> —
>> Maarten Kremers
>> Technical Product Manager Trust & Identity GÉANT Project Task Leader
> Trust &
>> Identity Enabling Communities
>>
>> SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon
> -
>> Tue - Wed - Fri SURF is the collaborative organisation for ICT in Dutch
> education
>> and research


Maarten Kremers
Technical Product Manager Trust & Identity
GÉANT Project Task Leader Trust & Identity Enabling Communities

SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon -
Tue - Wed - Fri
SURF is the collaborative organisation for ICT in Dutch education and research




Archive powered by MHonArc 2.6.19.

Top of Page