Versions Compared

Old Version 4

changes.mady.by.user Nicole Harris

Saved on

compared with

New Version 5

changes.mady.by.user Mehdi Hached

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

See tracking information in the GÉANT Harmonisation task: 1.1 Entity Categories.

...

Purpose

This document aims at presenting a status of the adoption of entity categories within the eduGAIN inter-federation. Thus, it will focus on trans-border service providers (SP) that are republished in eduGAIN metadata. Studying the current adoption of categories and policies of those SP will help identify the successful uses or the remaining challenges for upcoming SPs. Are the categories or policies adopted and used in practice and what could be the obstacles of further deployments. This document tries to give a current view of the remaining challenges for scalable policies that would make federated services more accessible through research communities.

Challenges

            Attribute release and trust among providers in identity federations are the key element for a successful collaboration. Trust is settled through the federation's legal framework on which providers agree. The attribute release on the other hand is a more complex problem, technically and legally (data protection).

To overcome this, several attempts to categorise service providers had emerged in the recent years. Some categorisation involves data minimisation and purpose limitation on attributes release when others try to group service providers based on their business profile and common attributes requirements.

The most significant efforts in the policies area are the "GÉANT Data Protection Code of Conduct" (CoCo)[1] in its European version or in its coming international form and the "REFEDS Research and Scholarship" category[2]. Other categories are already being considered or in an advanced discussion (Academia, library...). Even if the GÉANT CoCo is more than just a SP category, on the metadata level, service providers and the agreeing identity providers are tagged as a SAML 2.0 Entity Category.

Tools

In order to find the informations, we use the tools that eduGAIN is offering now:

This study is bounded to the publicly available informations on eduGAIN tools reading the aggregated metadata.

Status on Categories Use

Using the latter tool, we can easily extract the entities that have endorsed the R&S category or the GÉANT CoCo. The figures are edifying, only 190 (without sorting out the duplications) entities on 2385 entities announce the Category/Policy support.

 

GÉANT EU/EEA Data Protection Code of Conduct:

  • 105 entities in total
    • 42 IdP
    • 63 SP

REFEDS Research & Scholarship Category:

  • 85 entities in total
    • 39 IdP
    • 47 SP

The GÉANT CoCo and the REFEDS R&S are finalised for about a year, we notice that the adoption is slow among the community.

The two documents are yet short and clear, but the national federations operators should help their deployment by:

  • Advertise them toward the SPs;
  • Possibly translate them in the country's language;
  • Implement a way of tagging the entities that support categories during the entity's recording (federation registry).

 

In practice, the IdPs have to technically be able to release the necessary attributes to the categorized SPs, when these have to be legally reliable on processing those attributes.

The two categories above are not covering all the types of SPs (commercial, business models...) or the communities that are running them (Physics, libraries...). Others categories are surely needed but an effective way of presenting them and help the right SP to find its right category.

Some federation have already put in place national categories to help IdP managers to easily scale their attributes release mechanisms. The way to group SPs is the way to go to avoid per SP attribute filtering. Such categorisation needs clear definitions and federations' operators should be in charge of advertising and implement at the federation registry level the categories. Indeed, categorizing SPs should also lead to common attribute requirements uses. These attributes subset must be negotiated with SPs managers to lower at maximum the mandatory attributes and tag the possible others as optional.

The Federation Éducation-Recherche experience (FR)

The French academic federation introduced SPs categories 4 years ago (2011). For each category, they distributed a set of attributes filters that automated the attribute release at the IdP level. They noticed that IdPs managers are generally not keen to regularly update their IdP configurations. Indeed, there is always a risk of breaking the service. A vast majority started to simply use the filters containing all the categories even is it is not a satisfying use, privacy wise.

Because the Shibboleth software is based on SAML2 specifications, that implementation allows dynamic attribute release "negotiation", i.e. exploiting <md:requestedAttribute> elements[3]. The French federation's administrators will progressively abandon the automated filters distribution and rely more and more on that feature. But even with this feature, IdPs managers and data privacy officers want to have a way to distinguish between SPs. GÉANT EU/EEA CoCo is a way to scale effectively in attribute release. Federation operators should, in the first place, the adoption of this policy.

Remark: Other feedbacks from the academic federations running categories for a significant time would be enlightening.

The attributes values issue

Some community SPs, like libraries or research communities[4], need the provision (release) of a certain attribute (e.g. affiliation, entitlement, isMemberOf...) plus a certain value often tailored to those SPs. This scenario is the most complex. Indeed, it forces the IdP manager to intervene and update the values in the IdP back-end (affiliations) or to dynamically generate a new value (entitlements) for a given new SP.

Defining categories on attributes values should also be considered to ease the deployment at IdP level. These categories would restrict or make use of common attributes and values for a given group of SPs or rely during the authorisation process on Attribute Authorities (community IdPs) additional (custom) attributes.

Conclusion

Defining what makes a category or a policy a good and scalable "framework" would be necessary. In the mean time, actions of instruction and accompanying should be taken within national federations and followed at the eduGAIN level. Community SPs and their requirements should be well defined and categorized before exchanging with IdPs managers.


[4] Virtual organisations, Collaborative organisations