edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
- To: Maarten Kremers <maarten.kremers AT surf.nl>
- Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
- Date: Tue, 17 May 2022 10:44:22 +0200
On 16.05.22 15:58, Maarten Kremers wrote:
The background of this question has to do with SWITCH edu-ID where
we currently publish the university IdPs in eduGAIN but don't allow
private identities (without university affiliation) to access
eduGAIN services. There are library use cases where people (without
university affiliation) need access to publisher resources
(accessible via eduGAIN). Therefore, we are exploring the options
how to allow access to these users.
How do you currently tackle the affiliation ? Which one do the
institutional users get (student AT university.ch ?) and which one
guests (affiliate AT eduid.ch ?)
The edu-ID IdP is a like an apache web server with several virtual hosts, but in this case the virtual hosts are university IdPs that the edu-IDP represents (see [1]).
When edu-ID users want to log in at an edu-GAIN service, they choose their university in the Discovery Service (e.g. university of Geneva). The Discovery Service then sends them to the edu-ID IDP where they authenticate. The attributes sent to the eduGAIN service look exactly like the university operated the IdP before they migrated to edu-ID, so e.g. eduPersonAffiliation=student;member
If we exposed the edu-ID IdP itself (kind of the default IdP), there would also be an IdP in eduGAIN metadata called "SWITCH edu-ID" (which there is currently not). Users selecting this Identity Provider then could choose if they want to login at the eduGAIN service as students of university of Geneva (or another organisation identity they linked to their edu-ID account) or if they want to log in with their private identity (that every users has and that is completely managed by the users themselves).
Login using a private identity (eduPerson=affiliate) is what would be needed to allow library users to access certain Service Providers that the libraries have licenses for.
So, what we consider is exposing the edu-ID Identity Provider in eduGAIN but restricting (on the IdP) the services that users can access with their private identity. Without this limitation we fear that edu-ID becomes a default IdP (with increased support for us) to access eduGAIN services :-)
Best Regards
Lukas
[1] SWITCH edu-ID: How to spoof Identity Providers
https://tnc19.geant.org/sessions/#s54
--
SWITCH
Lukas Hämmerle, Trust & Identity
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
+41 44 268 15 64 lukas.haemmerle AT switch.ch http://www.switch.ch
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, (continued)
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Lukas Hämmerle, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Peter Brand, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Davide Vaghetti, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Lukas Hämmerle, 17-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Maarten Kremers, 16-May-2022
- RE: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Pål Axelsson, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Maarten Kremers, 16-May-2022
- RE: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Pål Axelsson, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Maarten Kremers, 16-May-2022
- RE: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Pål Axelsson, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Maarten Kremers, 16-May-2022
- RE: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Pål Axelsson, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Maarten Kremers, 16-May-2022
- Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?, Lukas Hämmerle, 05/17/2022
Archive powered by MHonArc 2.6.19.