An open discussion list for topics related to the eduGAIN interfederation service.

[Janos Mohacsi <mohacsi.janos AT kifu.gov.hu>]

Dear all,

    Thanks for the discussion. The use case was more exact.  The access should be provided to educational  and research user identified by the European educational and research organisations regardless where the user is physically located.

    Currently we are proposing a quick and dirty solution, but we are planning to develop more precise solutions which is based on the authorisation time processing of eduGAIN metadata.

    Best Regards,

                Janos

On 2023. 03. 07. 15:27, Peter Brand wrote:

> ZAdJ7F2uRfJZ0b9z AT aco.net">
> János, Muhammad, et al.,
>
> * Muhammad Farhan SJAUGI <farhan AT sifulan.my> [2023-03-07 11:15]:
> > Or the SP could also consume the eduGAIN metadata, but filter the
> > registration authority to your federation target (i.e. from european
> > countries). You can use pyFF for this purpose.
> >       
> Well, certainly rather this and not what you wrote earlier (searching
> for and consuming individual federation's "local" metadata feeds and
> then verifing the signature on each one with a separate key etc.) --
> so going with your usual eduGAIN-enabled feed would be the first step.
>
> And while the next step could indeed be allowing only IDPs from
> enumerated registration authorities (where you hand-pick registration
> authorities based on whether they represent a "European" country) this
> gets hairy quickly, as one would expect:
> What is a "European user" after all? (A question the specific SP will
> have to determine based on its given constraints, e.g. license or
> contract terms.)
>
> * A natural person with citizenship from a European country?
> * A subject accessing services while physically being located within a
> * European country?
>   (Not to be conflated with an IP address that some geoip database
>   claims to be located within a European country, btw, but how else
>   are we supposed to determine "physical location", if that mattered?)
> * A subject that merely authenticated successfully at an IDP where
>   that IDP has been registered by a federation that's "European"?
>
> Note that some federations, e.g. the UK Federation, may register IDPs
> from anywhere, not restricted to IDPs that are somehow "from" (located
> in, operator for, etc.) the local nation state.
> So an IDP having been registered by a "European" federation doesn't
> necessarily make the IDP itself "European". Nor does it make people
> being able to authenticate at such an IDP "Europeans". Does it make
> them "European users"?
>
> So what you wrote, Muhammad, is likely the only thing we as federation
> operators can easily provide in terms of a simple implementation.
> Whether that's "close enough" or possibly completely inacceptable for
> the SP in question depends on their constrains and likely their risk
> tolerance.
>
> HTH,
> -peter
>
>

--

Janos Mohacsi
Head of International R&D, Infrastructure Division, T&I service owner
GÉANT activity coordinator in Hungary, EOSC representative

Governmental Agency for Information Technology Development
address: 1134 Budapest, Váci út 35.   P.O.Box: 1255 Bp., Pf.: 182.
mobile: +36 30 555 7599   e-mail: mohacsi.janos AT kifu.gov.hu