An open discussion list for topics related to the eduGAIN interfederation service.

[Lukas Hämmerle <lukas.haemmerle AT switch.ch>]

On 16.05.22 15:58, Maarten Kremers wrote:
> > The background of this question has to do with SWITCH edu-ID where
> > we currently publish the university IdPs in eduGAIN but don't allow
> > private identities (without university affiliation) to access
> > eduGAIN services. There are library use cases where people (without
> > university affiliation) need access to publisher resources
> > (accessible via eduGAIN). Therefore, we are exploring the options
> > how to allow access to these users.
>
> How do you currently tackle the affiliation ? Which one do the
> institutional users get (student AT university.ch ?) and which one
> guests (affiliate AT eduid.ch ?)

The edu-ID IdP is a like an apache web server with several virtual 
hosts, but in this case the virtual hosts are university IdPs that the 
edu-IDP represents (see [1]).

When edu-ID users want to log in at an edu-GAIN service, they choose 
their university in the Discovery Service (e.g. university of Geneva). 
The Discovery Service then sends them to the edu-ID IDP where they 
authenticate. The attributes sent to the eduGAIN service look exactly 
like the university operated the IdP before they migrated to edu-ID, so 
e.g. eduPersonAffiliation=student;member

If we exposed the edu-ID IdP itself (kind of the default IdP), there 
would also be an IdP in eduGAIN metadata called "SWITCH edu-ID" (which 
there is currently not). Users selecting this Identity Provider then 
could choose if they want to login at the eduGAIN service as students of 
university of Geneva (or another organisation identity they linked to 
their edu-ID account) or if they want to log in with their private 
identity (that every users has and that is completely managed by the 
users themselves).

Login using a private identity (eduPerson=affiliate) is what would be 
needed to allow library users to access certain Service Providers that 
the libraries have licenses for.

So, what we consider is exposing the edu-ID Identity Provider in eduGAIN 
but restricting (on the IdP) the services that users can access with 
their private identity. Without this limitation we fear that edu-ID 
becomes a default IdP (with increased support for us) to access eduGAIN 
services :-)


Best Regards
Lukas

[1] SWITCH edu-ID: How to spoof Identity Providers
    https://tnc19.geant.org/sessions/#s54

--
SWITCH
Lukas Hämmerle, Trust & Identity
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
+41 44 268 15 64  lukas.haemmerle AT switch.ch  http://www.switch.ch