An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Brand <peter.brand AT univie.ac.at>]

* Janos Mohacsi <mohacsi.janos AT kifu.gov.hu> [2023-03-09 11:47]:
> Thanks for the discussion. The use case was more exact.  The access
> should be provided to educational  and research user identified by
> the European educational and research organisations regardless where
> the user is physically located.

Unfortunately that doesn't make your life any easier as you'd still
have to satisfy both parts of this supposedly simple requirement, and
there's no way to do either automatically, today:

* the "educational and research organisation" part, as well as
* the "European ... organisation" part.

We have no way of identifying "educational and research organisations"
automatically and at scale because we couldn't agree on the criteria.
See this never approved/deployed draft specifiation:
https://wiki.refeds.org/display/CON/Consultation%3A+Academic+Institution+Entity+Category

Registration practices (what kind of organisations may register a SAML
IDP in the local federation and have it exposed to the wider community
via eduGAIN) vary widely across the currently 79 federations
participating in eduGAIN.
I.e., a SAML IDP registered in (m)any of those federation is not
*neccessarily* an academic (or "educational" and "research" related)
IDP itself -- it might also represent a commercial corporation, a
public administration body, or something else that doesn't fit your
(or anyone's) definition of "educational and research organisation".

And even if we had a way to assign an "academic" label to IDPs (the
failed spec referenced above) you'd still have to solve the second
part of the problem, that of "*European* educational and research
organisations", as I've already explained earlier.
I.e., a SAML IDP registered in a European federation is not
*neccessarily* an IDP representing a European organisation itself --
it might also represent a an organisation located elsewhere/anywhere
in the world.

(Personally, I feel the latter issue -- registering IDPs from
"outside" the local country -- may be much less common but you'd still
have to deal with the IDPs from those federations that do allow for
that. And in the case of the UKFederation that's the largest academic
identity federations on the planet, with almost 600 IDPs in eduGAIN. I
can't be sure it's the only one, either.)

> Currently we are proposing a quick and dirty solution, but we are
> planning to develop more precise solutions which is based on the
> authorisation time processing of eduGAIN metadata.

No idea what "authorisation time processing of eduGAIN metadata"
means, but given what I explained above (no way to automatically
identify either "educational and research" organisations nor
"European" ones) I'm pretty sure you'll be left with implementing
something more or less "dirty" in any case.
(Might as well make it "quick", then, I suppose. ;))

Best regards
-peter