Conveying affiliation information from origin providers across infrastructures proxies as defined in G025 is only possible if the origin identity provider releases such information. In case no eduPersonScopedAffiliation is provided, it may be partially reconstructed according to these guidelines. If there is no reliable way to infer origin affiliation, no such affiliation should be asserted by infrastructure proxies.

Currently, infrastructure proxies seem to take varying approaches. Current understand (please correct if it's wrong!):

  • EGI Checkin: if scoped affiliation is not received, asks the user to enter their affiliation during registration in a free text field. Users can enter whatever they want, there is not controlled set of organizations
  • EUDAT B2ACCESS: seems to be doing something similar, also a freeform field for "Organisation Name" (unknown if it is ever forwarded to connected SPs)
  • LS AAI,: IdP that do not release scoped affiliation are not allowed at all
  • eduTEAMS: if an IdP does not provide scoped affiliation, then it is not forwarded either
  • INDIGO IAM: unknown

For a 'downstream' SP, it is thus impossible to determine if the value is authentic or user-self-asserted (and thus arbitrary). The policy area (in the EnCo meeting of April 29, 2020), was requested to give some guidance in this area.

AARC-G057 aims to address this ambiguity. Comments and discussion are now welcome!

Previous versions

  • No labels