edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Peter Brand <peter.brand AT univie.ac.at>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] Special use-case
- Date: Tue, 7 Mar 2023 15:27:56 +0100
János, Muhammad, et al.,
* Muhammad Farhan SJAUGI <farhan AT sifulan.my> [2023-03-07 11:15]:
> Or the SP could also consume the eduGAIN metadata, but filter the
> registration authority to your federation target (i.e. from european
> countries). You can use pyFF for this purpose.
Well, certainly rather this and not what you wrote earlier (searching
for and consuming individual federation's "local" metadata feeds and
then verifing the signature on each one with a separate key etc.) --
so going with your usual eduGAIN-enabled feed would be the first step.
And while the next step could indeed be allowing only IDPs from
enumerated registration authorities (where you hand-pick registration
authorities based on whether they represent a "European" country) this
gets hairy quickly, as one would expect:
What is a "European user" after all? (A question the specific SP will
have to determine based on its given constraints, e.g. license or
contract terms.)
* A natural person with citizenship from a European country?
* A subject accessing services while physically being located within a
* European country?
(Not to be conflated with an IP address that some geoip database
claims to be located within a European country, btw, but how else
are we supposed to determine "physical location", if that mattered?)
* A subject that merely authenticated successfully at an IDP where
that IDP has been registered by a federation that's "European"?
Note that some federations, e.g. the UK Federation, may register IDPs
from anywhere, not restricted to IDPs that are somehow "from" (located
in, operator for, etc.) the local nation state.
So an IDP having been registered by a "European" federation doesn't
necessarily make the IDP itself "European". Nor does it make people
being able to authenticate at such an IDP "Europeans". Does it make
them "European users"?
So what you wrote, Muhammad, is likely the only thing we as federation
operators can easily provide in terms of a simple implementation.
Whether that's "close enough" or possibly completely inacceptable for
the SP in question depends on their constrains and likely their risk
tolerance.
HTH,
-peter
- [eduGAIN-discuss] Special use-case, Janos Mohacsi, 07-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Muhammad Farhan SJAUGI, 07-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Muhammad Farhan SJAUGI, 07-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Peter Brand, 03/07/2023
- Re: [eduGAIN-discuss] Special use-case, Janos Mohacsi, 09-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Peter Brand, 09-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Janos Mohacsi, 09-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Peter Brand, 03/07/2023
- Re: [eduGAIN-discuss] Special use-case, Muhammad Farhan SJAUGI, 07-Mar-2023
- Re: [eduGAIN-discuss] Special use-case, Muhammad Farhan SJAUGI, 07-Mar-2023
Archive powered by MHonArc 2.6.24.